Solved

Group Policy - Terminal Server 2008 R2 - Remove Administrative Tools Link

Posted on 2010-09-22
11
7,567 Views
Last Modified: 2012-05-10
Good Afternoon Experts,

I have a problem that is annoying me somewhat - I know that the answer must be simple, but for the life of me I cannot find the setting within group policy, or anywhere else. I cannot get the 'administrative tools' menu item on the start menu to disapear for standard users on a terminal server.

The background here is that we have a SBS 2003 running in standard config. We then have another server running server 2008 R2 configured as a terminal server. Group policy (set from SBS) is in with loopback processing enabled (replace mode) and it is working without issues.

The problem is that I cannot find the setting for hiding the 'administrative tools' menu item from the start menu. This is not the item within the 'programs' list, but the link that appears next to 'printers, control panel, etc' on the actual root start menu.

I've been through group policy and cannot find the setting to control this. We need this disabled as we do not want users to be able to view or launch any of the administrative tools, regardless of the fact that they would not have authority to change anything. I know that this is possible as we have a similar setup for another deployment where this has been done. I have gone through the 'known good' configuration comparing and contrasting settings and cannot see any difference in GP, so I'm at a bit of a loss.

Help appreciated!

Thanks in advance,


Bolton Wanderer
0
Comment
Question by:BoltonWanderer
11 Comments
 
LVL 8

Expert Comment

by:Emptyone
ID: 33736540
If you in the group policy go to User Configuration - Preferences - Control Panel Settings - Start Menu
Make a new Start Menu there, and you can then edit that, and amongst other choose that Administrative Tools not should be displayed
0
 
LVL 8

Expert Comment

by:Emptyone
ID: 33736575
Forgot to also say that you on there should go to the Common tab, and choose Run in logged-on users's security context
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33736733
To the best of my knowledge there is no existing GPO to do so in 2003 or 2008.
You can adjust the permissions on the Administrative Tools folder. This would not hide it but if a user tried to open they would be denied access.

You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.

From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.

0
 
LVL 8

Expert Comment

by:Emptyone
ID: 33736857
We use the policy I informed about on RD farm that's based on Windows 2008 R2 servers. But I agree with RobWill you will have to limit control panel. The registry settings RobWill informed about will also work. Recommend setting them via group policy, as they will have to be configured on each user
0
 

Author Comment

by:BoltonWanderer
ID: 33741810
Thanks for the feedback guys - I'm checking these ideas out now
 
The frustrating thing is that I have most definately achieved this using group policy in another recent deployment - just can't figure out how! I definately did not edit registry settings though.
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 

Author Comment

by:BoltonWanderer
ID: 33742007
Emptyone - we don't have Group policy preferences here as we only have a 2003 DC.
 
Thinking about it, this is a difference between the known good deployments that I have - both of those have server 2003 DCs, thus have updated group policy.
I'm coming to the conclusion that this may not be possible without doing some reg editing with a 2003 DC, and I'm a bit loath to do that, as it isn't a standard solution that other techies will be able to pick up on easily
0
 

Author Comment

by:BoltonWanderer
ID: 33743592
Apologies - the last comment was meant to read 'both of those have server 2008 DCs, thus have updated group policy'
0
 
LVL 8

Accepted Solution

by:
Emptyone earned 500 total points
ID: 33743699
You might have a look at this one:
http://blogs.technet.com/b/danstolts/archive/2009/01/21/installing-and-managing-group-policy-preferences-on-a-windows-server-2003-domain.aspx

This explains how you get group policy preferences working with a 2003 DC
0
 

Author Comment

by:BoltonWanderer
ID: 33767850
Thanks for that Emptyone - I didnt realise that was possible.
I'll go down that route :)
 
Thanks
Bolton Wanderer
0
 

Expert Comment

by:wootenj2001
ID: 34449606
Thanks for this solution.  I was having the hardest time getting rid of Administrative Tools, Startup, and another folder.  I was having to do login scripts to take care of that, but I hate leaving those on there forever. I didn't even think of using the Preferences feature to create a custom menu.  Duh!
0
 

Expert Comment

by:jpollner
ID: 35213099
The first responce was the correct one.
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now