How to force user to open files only from one location on Office 2016

Michal Zyzak 31 Reputation points
2020-09-21T07:38:23.8+00:00

Hello,

We have an Excel 2016 published on Citrix for our users. We have a requirement that user can open spreadsheets from one specific location (user homedrive mapped in his AD profile). We have blocked navigation via Windows Explorer and via address bar by GPO. However user can still 'navigate' by typing UNC paths directly in 'File Name' field of 'Open File' box.

I'm trying to fiddle around with 'Untrusted Location' setting in GPO for Office but it does not support anything like: \* nor \.* nor \*.*

How can we force only one location to be available for users in Office 2016?

Regards
MZ

Office Management
Office Management
Office: A suite of Microsoft productivity software that supports common business tasks, including word processing, email, presentations, and data management and analysis.Management: The act or process of organizing, handling, directing or controlling something.
2,059 questions
Excel Management
Excel Management
Excel: A family of Microsoft spreadsheet software with tools for analyzing, charting, and communicating data.Management: The act or process of organizing, handling, directing or controlling something.
1,685 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,775 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Erin Ding-MSFT 4,461 Reputation points
    2020-09-22T07:30:18.177+00:00

    @MichalZyzak-1432,

    I’m afraid that it may not be achieved as far as I know.
    On my test environment, I enabled "Prevent access to drives from My Computer" GPO Policy in User Configuration>Windows Components>File Explorer and pick ‘Restrict all drives’. However, I can still navigate by typing like C:\Test\Test.xlsx in my computer and open the file ‘Test.xlsx’ successfully.

    Maybe you can refer to the following:

    1. Firstly, backup files.
    2. Save the files you don’t want users to open in a folder, and then find the "To change permissions, click Edit." in the Security column of the folder properties, click Edit, select the Group or user names you want to set the permission, and check Deny for all the options below.
    3. Then save the files that the user is allowed to open in a specific location. Here I take Excel 2016 on my computer as an example, save them in the location
      C:\Users\erind\AppData\Roaming\Microsoft\Excel\XLSTART\
      1. Enter the location in:
        File> Options>Advanced>General>At startup, open all files in.

    For more information, you can refer to Automatically open a specific workbook or template when you start Excel.

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Michal Zyzak 31 Reputation points
    2020-09-23T09:08:15.82+00:00

    Hello

    Thank you for your response.
    Unfortunately ACLs are not a solution as we need to block access only in specific scenarios:

    1. A user opens Excel published on Citrix and has to be locked down to one allowed location (one network share).
    2. Same user opens Excel on his own machine and should not be restricted.
    0 comments
  3. Erin Ding-MSFT 4,461 Reputation points
    2020-09-25T10:06:58.477+00:00

    @Michal Zyzak

    Based on my research, there is no related policy that can solve your problem. I’m afraid that I can’t give you more troubleshoot according to my test.
    If conditions permit, I suggest you to open a paid support ticket with Microsoft Support to help review your problem and help you test remotely.

    Thanks for your understanding.

    Regards,
    Erin

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. Erin Ding-MSFT 4,461 Reputation points
    2020-09-28T10:12:53.633+00:00

    Hi @Michal Zyzak ,

    Have you solved your issue? Any questions, you can post back.

    Regards,
    Erin

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  5. Michal Zyzak 31 Reputation points
    2020-09-30T07:00:32.813+00:00

    Hi

    I cant say that I have.
    It is disappointing that MSFT had prepared a nice GPO setting effectively limiting the 'Save As' window to specific locations and did not do the same for 'Open File' window.