Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Group Policy - Terminal Server 2008 R2 - Remove Administrative Tools Link

Posted on 2010-09-22
Medium Priority
Last Modified: 2012-05-10
Good Afternoon Experts,

I have a problem that is annoying me somewhat - I know that the answer must be simple, but for the life of me I cannot find the setting within group policy, or anywhere else. I cannot get the 'administrative tools' menu item on the start menu to disapear for standard users on a terminal server.

The background here is that we have a SBS 2003 running in standard config. We then have another server running server 2008 R2 configured as a terminal server. Group policy (set from SBS) is in with loopback processing enabled (replace mode) and it is working without issues.

The problem is that I cannot find the setting for hiding the 'administrative tools' menu item from the start menu. This is not the item within the 'programs' list, but the link that appears next to 'printers, control panel, etc' on the actual root start menu.

I've been through group policy and cannot find the setting to control this. We need this disabled as we do not want users to be able to view or launch any of the administrative tools, regardless of the fact that they would not have authority to change anything. I know that this is possible as we have a similar setup for another deployment where this has been done. I have gone through the 'known good' configuration comparing and contrasting settings and cannot see any difference in GP, so I'm at a bit of a loss.

Help appreciated!

Thanks in advance,

Bolton Wanderer
Question by:BoltonWanderer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 33736540
If you in the group policy go to User Configuration - Preferences - Control Panel Settings - Start Menu
Make a new Start Menu there, and you can then edit that, and amongst other choose that Administrative Tools not should be displayed

Expert Comment

ID: 33736575
Forgot to also say that you on there should go to the Common tab, and choose Run in logged-on users's security context
LVL 77

Expert Comment

by:Rob Williams
ID: 33736733
To the best of my knowledge there is no existing GPO to do so in 2003 or 2008.
You can adjust the permissions on the Administrative Tools folder. This would not hide it but if a user tried to open they would be denied access.

You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.

From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 33736857
We use the policy I informed about on RD farm that's based on Windows 2008 R2 servers. But I agree with RobWill you will have to limit control panel. The registry settings RobWill informed about will also work. Recommend setting them via group policy, as they will have to be configured on each user

Author Comment

ID: 33741810
Thanks for the feedback guys - I'm checking these ideas out now
The frustrating thing is that I have most definately achieved this using group policy in another recent deployment - just can't figure out how! I definately did not edit registry settings though.

Author Comment

ID: 33742007
Emptyone - we don't have Group policy preferences here as we only have a 2003 DC.
Thinking about it, this is a difference between the known good deployments that I have - both of those have server 2003 DCs, thus have updated group policy.
I'm coming to the conclusion that this may not be possible without doing some reg editing with a 2003 DC, and I'm a bit loath to do that, as it isn't a standard solution that other techies will be able to pick up on easily

Author Comment

ID: 33743592
Apologies - the last comment was meant to read 'both of those have server 2008 DCs, thus have updated group policy'

Accepted Solution

Emptyone earned 2000 total points
ID: 33743699
You might have a look at this one:

This explains how you get group policy preferences working with a 2003 DC

Author Comment

ID: 33767850
Thanks for that Emptyone - I didnt realise that was possible.
I'll go down that route :)
Bolton Wanderer

Expert Comment

ID: 34449606
Thanks for this solution.  I was having the hardest time getting rid of Administrative Tools, Startup, and another folder.  I was having to do login scripts to take care of that, but I hate leaving those on there forever. I didn't even think of using the Preferences feature to create a custom menu.  Duh!

Expert Comment

ID: 35213099
The first responce was the correct one.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question