Solved

Group Policy - Terminal Server 2008 R2 - Remove Administrative Tools Link

Posted on 2010-09-22
11
7,575 Views
Last Modified: 2012-05-10
Good Afternoon Experts,

I have a problem that is annoying me somewhat - I know that the answer must be simple, but for the life of me I cannot find the setting within group policy, or anywhere else. I cannot get the 'administrative tools' menu item on the start menu to disapear for standard users on a terminal server.

The background here is that we have a SBS 2003 running in standard config. We then have another server running server 2008 R2 configured as a terminal server. Group policy (set from SBS) is in with loopback processing enabled (replace mode) and it is working without issues.

The problem is that I cannot find the setting for hiding the 'administrative tools' menu item from the start menu. This is not the item within the 'programs' list, but the link that appears next to 'printers, control panel, etc' on the actual root start menu.

I've been through group policy and cannot find the setting to control this. We need this disabled as we do not want users to be able to view or launch any of the administrative tools, regardless of the fact that they would not have authority to change anything. I know that this is possible as we have a similar setup for another deployment where this has been done. I have gone through the 'known good' configuration comparing and contrasting settings and cannot see any difference in GP, so I'm at a bit of a loss.

Help appreciated!

Thanks in advance,


Bolton Wanderer
0
Comment
Question by:BoltonWanderer
11 Comments
 
LVL 8

Expert Comment

by:Emptyone
ID: 33736540
If you in the group policy go to User Configuration - Preferences - Control Panel Settings - Start Menu
Make a new Start Menu there, and you can then edit that, and amongst other choose that Administrative Tools not should be displayed
0
 
LVL 8

Expert Comment

by:Emptyone
ID: 33736575
Forgot to also say that you on there should go to the Common tab, and choose Run in logged-on users's security context
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33736733
To the best of my knowledge there is no existing GPO to do so in 2003 or 2008.
You can adjust the permissions on the Administrative Tools folder. This would not hide it but if a user tried to open they would be denied access.

You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.

From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.

0
 
LVL 8

Expert Comment

by:Emptyone
ID: 33736857
We use the policy I informed about on RD farm that's based on Windows 2008 R2 servers. But I agree with RobWill you will have to limit control panel. The registry settings RobWill informed about will also work. Recommend setting them via group policy, as they will have to be configured on each user
0
 

Author Comment

by:BoltonWanderer
ID: 33741810
Thanks for the feedback guys - I'm checking these ideas out now
 
The frustrating thing is that I have most definately achieved this using group policy in another recent deployment - just can't figure out how! I definately did not edit registry settings though.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:BoltonWanderer
ID: 33742007
Emptyone - we don't have Group policy preferences here as we only have a 2003 DC.
 
Thinking about it, this is a difference between the known good deployments that I have - both of those have server 2003 DCs, thus have updated group policy.
I'm coming to the conclusion that this may not be possible without doing some reg editing with a 2003 DC, and I'm a bit loath to do that, as it isn't a standard solution that other techies will be able to pick up on easily
0
 

Author Comment

by:BoltonWanderer
ID: 33743592
Apologies - the last comment was meant to read 'both of those have server 2008 DCs, thus have updated group policy'
0
 
LVL 8

Accepted Solution

by:
Emptyone earned 500 total points
ID: 33743699
You might have a look at this one:
http://blogs.technet.com/b/danstolts/archive/2009/01/21/installing-and-managing-group-policy-preferences-on-a-windows-server-2003-domain.aspx

This explains how you get group policy preferences working with a 2003 DC
0
 

Author Comment

by:BoltonWanderer
ID: 33767850
Thanks for that Emptyone - I didnt realise that was possible.
I'll go down that route :)
 
Thanks
Bolton Wanderer
0
 

Expert Comment

by:wootenj2001
ID: 34449606
Thanks for this solution.  I was having the hardest time getting rid of Administrative Tools, Startup, and another folder.  I was having to do login scripts to take care of that, but I hate leaving those on there forever. I didn't even think of using the Preferences feature to create a custom menu.  Duh!
0
 

Expert Comment

by:jpollner
ID: 35213099
The first responce was the correct one.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now