BoltonWanderer
asked on
Group Policy - Terminal Server 2008 R2 - Remove Administrative Tools Link
Good Afternoon Experts,
I have a problem that is annoying me somewhat - I know that the answer must be simple, but for the life of me I cannot find the setting within group policy, or anywhere else. I cannot get the 'administrative tools' menu item on the start menu to disapear for standard users on a terminal server.
The background here is that we have a SBS 2003 running in standard config. We then have another server running server 2008 R2 configured as a terminal server. Group policy (set from SBS) is in with loopback processing enabled (replace mode) and it is working without issues.
The problem is that I cannot find the setting for hiding the 'administrative tools' menu item from the start menu. This is not the item within the 'programs' list, but the link that appears next to 'printers, control panel, etc' on the actual root start menu.
I've been through group policy and cannot find the setting to control this. We need this disabled as we do not want users to be able to view or launch any of the administrative tools, regardless of the fact that they would not have authority to change anything. I know that this is possible as we have a similar setup for another deployment where this has been done. I have gone through the 'known good' configuration comparing and contrasting settings and cannot see any difference in GP, so I'm at a bit of a loss.
Help appreciated!
Thanks in advance,
Bolton Wanderer
I have a problem that is annoying me somewhat - I know that the answer must be simple, but for the life of me I cannot find the setting within group policy, or anywhere else. I cannot get the 'administrative tools' menu item on the start menu to disapear for standard users on a terminal server.
The background here is that we have a SBS 2003 running in standard config. We then have another server running server 2008 R2 configured as a terminal server. Group policy (set from SBS) is in with loopback processing enabled (replace mode) and it is working without issues.
The problem is that I cannot find the setting for hiding the 'administrative tools' menu item from the start menu. This is not the item within the 'programs' list, but the link that appears next to 'printers, control panel, etc' on the actual root start menu.
I've been through group policy and cannot find the setting to control this. We need this disabled as we do not want users to be able to view or launch any of the administrative tools, regardless of the fact that they would not have authority to change anything. I know that this is possible as we have a similar setup for another deployment where this has been done. I have gone through the 'known good' configuration comparing and contrasting settings and cannot see any difference in GP, so I'm at a bit of a loss.
Help appreciated!
Thanks in advance,
Bolton Wanderer
Forgot to also say that you on there should go to the Common tab, and choose Run in logged-on users's security context
To the best of my knowledge there is no existing GPO to do so in 2003 or 2008.
You can adjust the permissions on the Administrative Tools folder. This would not hide it but if a user tried to open they would be denied access.
You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.
From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software
To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.
You can adjust the permissions on the Administrative Tools folder. This would not hide it but if a user tried to open they would be denied access.
You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.
From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software
To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.
We use the policy I informed about on RD farm that's based on Windows 2008 R2 servers. But I agree with RobWill you will have to limit control panel. The registry settings RobWill informed about will also work. Recommend setting them via group policy, as they will have to be configured on each user
ASKER
Thanks for the feedback guys - I'm checking these ideas out now
The frustrating thing is that I have most definately achieved this using group policy in another recent deployment - just can't figure out how! I definately did not edit registry settings though.
The frustrating thing is that I have most definately achieved this using group policy in another recent deployment - just can't figure out how! I definately did not edit registry settings though.
ASKER
Emptyone - we don't have Group policy preferences here as we only have a 2003 DC.
Thinking about it, this is a difference between the known good deployments that I have - both of those have server 2003 DCs, thus have updated group policy.
I'm coming to the conclusion that this may not be possible without doing some reg editing with a 2003 DC, and I'm a bit loath to do that, as it isn't a standard solution that other techies will be able to pick up on easily
Thinking about it, this is a difference between the known good deployments that I have - both of those have server 2003 DCs, thus have updated group policy.
I'm coming to the conclusion that this may not be possible without doing some reg editing with a 2003 DC, and I'm a bit loath to do that, as it isn't a standard solution that other techies will be able to pick up on easily
ASKER
Apologies - the last comment was meant to read 'both of those have server 2008 DCs, thus have updated group policy'
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that Emptyone - I didnt realise that was possible.
I'll go down that route :)
Thanks
Bolton Wanderer
I'll go down that route :)
Thanks
Bolton Wanderer
Thanks for this solution. I was having the hardest time getting rid of Administrative Tools, Startup, and another folder. I was having to do login scripts to take care of that, but I hate leaving those on there forever. I didn't even think of using the Preferences feature to create a custom menu. Duh!
The first responce was the correct one.
Make a new Start Menu there, and you can then edit that, and amongst other choose that Administrative Tools not should be displayed