Last Updated on February 11, 2023 by rudyooms
This short blog will be about, why users don’t need admin permissions to delete public desktop icons.
I will divide this blog into multiple parts
1. Introduction
There are not many reasons why your Azure Ad users need to be local admins on their devices. You can do a lot even without admin permissions. To summon a few:
–Restarting services can be done without local admin permissions
The non admin user: The battle of restarting services – Call4Cloud
–Installing applications
The PowerShell Win32 App Express – Call4Cloud
-Installing Printer software
Company App: Unchained – Call4Cloud
–Installing printer drivers
Birds of Printer drivers – Call4Cloud
Are there other reasons you could think of, why your user needs admin permissions?
2. The Issue
When software is being deployed to your endpoint, there is a possibility a shortcut will be created in the public desktop folder: c:\users\public\desktop
There are somehow a few users, who are very fond of a clear desktop and only want to have their own created shortcuts. The end-user has no permission to delete the icon because they aren’t local admin! When they want to delete an icon, a UAC prompt will be shown and without the proper permissions, they could not delete the icons.

There are many methods to remove these icons in the background, but why not give users, full control of this folder?
3. Fixing the permissions!
To assign the proper permissions, we are going to create a very simple PowerShell script and deploy it to your devices

$path = "C:\Users\Public\Desktop"
$acl = Get-Acl $path
$user = New-Object System.Security.Principal.SecurityIdentifier('S-1-5-11')
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,"Modify", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-ACL $path $acl
PLEASE NOTE. This sid “S-1-5-11” represents the Authenticated Users sid. You could change “S-1-5-11” to fit the proper user group!
When this PowerShell script is deployed to your devices, your users will have the possibility to delete the icons they don’t want and will stop complaining at your desk.
Conclusion:
I told it many times before, there are absolutely no reasons why your users need admin permissions on their devices. With this script, another reason can be crossed. Of course, you can also use this script to change permissions on other folders. But beware!!! Do not change permissions in the folders you allowed Applocker to run applications from.
I get the following error when trying to test this script. I am launching powershellISE as admin and running the script.
Error:Exception calling “SetAccessRule” with “1” argument(s): “Some or all identity references could not be
translated.”
At line:3 char:1
+ $acl.SetAccessRule($rule)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : IdentityNotMappedException
I Just noticed i copy pasted the dutch translation of everyone 🙂
SO you need to change the “iedereen” to “everyone” . I also changed the blog
Thank you, very useful.
Just for changing the IP to access other networks I already need admin permissions.
Thank you, very helpful! I’ve just optimized it a bit so language doesn’t matter anymore (and I think “modify” permission is sufficient):
$path = “C:\Users\Public\Desktop”
$acl = Get-Acl $path
# S-1-5-11: Authenticated Users (SID)
$user = New-Object System.Security.Principal.SecurityIdentifier(‘S-1-5-11’)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule ($user,”Modify”, “ContainerInherit,ObjectInherit”, “None”, “Allow”)
$acl.SetAccessRule($rule)
Set-ACL $path $acl
Thanx.. defining the sid of like I did with changing the acl on task schedules is always better.
https://call4cloud.nl/2022/01/updating-apps-a-new-era/
I guess I totally forgot I didn’t used it with this blog, thanx for reminding me 🙂 I updated the blog
Very good idea to give user access instead of manage icon by icon.
I am currently try this.
It works for an already enroll pc. I need to try for a new enrollment.
Thanks for the tip.
I arrive often on your blog and I thinks it’s my first commentary. So thanks for your shares. 😉
Do you have a RSS flow on your site? I didn’t find it.
Hi,
of course I have
https://call4cloud.nl/feed/
Perfect. Thanks. I add your site in my Netvibes. 😉
I’ve used a similar script in the past, but they lose permission to edit public desktop after a week or so, will this
Hi,
I guess we could always use proactive remediations to detect and fix those permissions if needed?