Group Policy - Terminal Server 2008 R2 - Remove Administrative Tools Link

Posted on 2010-09-22
Last Modified: 2012-05-10
Good Afternoon Experts,

I have a problem that is annoying me somewhat - I know that the answer must be simple, but for the life of me I cannot find the setting within group policy, or anywhere else. I cannot get the 'administrative tools' menu item on the start menu to disapear for standard users on a terminal server.

The background here is that we have a SBS 2003 running in standard config. We then have another server running server 2008 R2 configured as a terminal server. Group policy (set from SBS) is in with loopback processing enabled (replace mode) and it is working without issues.

The problem is that I cannot find the setting for hiding the 'administrative tools' menu item from the start menu. This is not the item within the 'programs' list, but the link that appears next to 'printers, control panel, etc' on the actual root start menu.

I've been through group policy and cannot find the setting to control this. We need this disabled as we do not want users to be able to view or launch any of the administrative tools, regardless of the fact that they would not have authority to change anything. I know that this is possible as we have a similar setup for another deployment where this has been done. I have gone through the 'known good' configuration comparing and contrasting settings and cannot see any difference in GP, so I'm at a bit of a loss.

Help appreciated!

Thanks in advance,

Bolton Wanderer
Question by:BoltonWanderer

Expert Comment

ID: 33736540
If you in the group policy go to User Configuration - Preferences - Control Panel Settings - Start Menu
Make a new Start Menu there, and you can then edit that, and amongst other choose that Administrative Tools not should be displayed

Expert Comment

ID: 33736575
Forgot to also say that you on there should go to the Common tab, and choose Run in logged-on users's security context
LVL 77

Expert Comment

by:Rob Williams
ID: 33736733
To the best of my knowledge there is no existing GPO to do so in 2003 or 2008.
You can adjust the permissions on the Administrative Tools folder. This would not hide it but if a user tried to open they would be denied access.

You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.

1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud


Expert Comment

ID: 33736857
We use the policy I informed about on RD farm that's based on Windows 2008 R2 servers. But I agree with RobWill you will have to limit control panel. The registry settings RobWill informed about will also work. Recommend setting them via group policy, as they will have to be configured on each user

Author Comment

ID: 33741810
Thanks for the feedback guys - I'm checking these ideas out now
The frustrating thing is that I have most definately achieved this using group policy in another recent deployment - just can't figure out how! I definately did not edit registry settings though.

Author Comment

ID: 33742007
Emptyone - we don't have Group policy preferences here as we only have a 2003 DC.
Thinking about it, this is a difference between the known good deployments that I have - both of those have server 2003 DCs, thus have updated group policy.
I'm coming to the conclusion that this may not be possible without doing some reg editing with a 2003 DC, and I'm a bit loath to do that, as it isn't a standard solution that other techies will be able to pick up on easily

Author Comment

ID: 33743592
Apologies - the last comment was meant to read 'both of those have server 2008 DCs, thus have updated group policy'

Accepted Solution

Emptyone earned 500 total points
ID: 33743699
You might have a look at this one:

This explains how you get group policy preferences working with a 2003 DC

Author Comment

ID: 33767850
Thanks for that Emptyone - I didnt realise that was possible.
I'll go down that route :)
Bolton Wanderer

Expert Comment

ID: 34449606
Thanks for this solution.  I was having the hardest time getting rid of Administrative Tools, Startup, and another folder.  I was having to do login scripts to take care of that, but I hate leaving those on there forever. I didn't even think of using the Preferences feature to create a custom menu.  Duh!

Expert Comment

ID: 35213099
The first responce was the correct one.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco AP to get ip from DHCP 10 73
aws pricing 2 43
Keyboard settings within hkcu are not being applied on windows 2008 Server 4 27
NTFS Permissions 6 43
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question