Public Desktop icons and Adminless: The far side of Intune

Public Desktop icons and Adminless: The far side of Intune

This short blog will be about, why users don’t need admin permissions to delete the public desktop icons.

There are not a lot of reasons why your Azure Ad users need to be local admins on their devices. You can do a lot even without admin permissions. To summon a few:

-Restarting services can be done without local admin permissions

The non admin user: The battle of restarting services – Call4Cloud

-Installing applications

The PowerShell Win32 App Express – Call4Cloud

-Installing printer software

Company App: Unchained – Call4Cloud

-Installing printer drivers

Birds of Printer drivers – Call4Cloud

Are there any other reasons you could think of, why your user needs admin permissions?  

When software is deployed to your endpoint, there is a possibility a shortcut will be created in the c:\users\public\desktop folder. There are some users, who are very font of a clear desktop and only want to have their own shortcuts. The end-user has no permissions to delete the icon. When they want to delete an icon, a UAC prompt will be shown and without the proper permissions, they could not delete the icons.

There are many methods to remove these icons in the background, but why not giving users, full control of this folder? To assign the proper permissions, we are going to create a very simple PowerShell script

$acl = Get-ACL "C:\Users\Public\Desktop"    
$rule=new-object System.Security.AccessControl.FileSystemAccessRule ("everyone","FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")    
$acl.SetAccessRule($rule)    
Set-ACL "C:\Users\Public\Desktop" $acl

PLEASE NOTE. You will need to change everyone to fit your language if needed!

When this PowerShell script is deployed to your devices,  your users will have the possibility to delete the icons they don’t want and will stop complaining at your desk.

Conclusion:

I told it many times before, there are absolutely no reasons why your users need admin permissions on their devices. With this script, another reason can be crossed. Of course, you can also use this script to change permissions on other folders. But beware!!! Do not change permissions in the folders you allowed Applocker to run applications from.

2 thoughts on “Public Desktop icons and Adminless: The far side of Intune

  1. I get the following error when trying to test this script. I am launching powershellISE as admin and running the script.

    Error:Exception calling “SetAccessRule” with “1” argument(s): “Some or all identity references could not be
    translated.”
    At line:3 char:1
    + $acl.SetAccessRule($rule)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

    1. I Just noticed i copy pasted the dutch translation of everyone 🙂
      SO you need to change the “iedereen” to “everyone” . I also changed the blog

Leave a Reply

Your email address will not be published. Required fields are marked *

6  +  3  =