?
Solved

Hide "Administrative Tools" from a group of non-administrator users via Group Policy

Posted on 2011-03-13
7
Medium Priority
?
1,616 Views
Last Modified: 2013-12-04
I’m running Terminal Services on a Windows 20003 R2 server.  The server is a domain controller as well.
I'm trying to do two things with this server:
1. Hide "Administrative Tools" from a group of non-administrator users via Group Policy.  Is that possible?  I saw registry changes on the net but prefer to do it through a GPO.

2. Disallow savvy users from running the commands in "Administrative Tools" such as dsa.msc, dssite.msc and domain.msc from a command prompt or start->run.  Again, I'd like to do this with a GPO.

Thanks,

-Ken
0
Comment
Question by:kucelkj
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35122452
From: http://www.brianmadden.com/forums/t/19270.aspx

Open the GPO in gpedit.msc and go to:

User Config\Administrative Templates\Windows Components\Microsoft Management Console\ and restrict access to author mode and any MMC snap ins you don't want them to get to.

Be sure that the computer side is in loopback mode if you don't already have a policy on your TS OU that does this:

Computer Config\Administrative Templates\System\Group Policy\User Group Policy Loopback Processing Mode = enabled.

Once the policy is created, it is a good idea to deny apply rights to the administrative staff that supports the server.
0
 

Author Comment

by:kucelkj
ID: 35122691
AustinComputer,

I've found this solution after I posted the question but thanks for you help.  This addresses question 2.  Do you have any advice for question 1?

Thanks,

-Ken
0
 

Author Comment

by:kucelkj
ID: 35122757
Okay, that solution did work!! :)  Thanks!

Now, is there a way to hide it so it doesn't even appear?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 13

Accepted Solution

by:
AustinComputerLabs earned 2000 total points
ID: 35122788
From: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26491683.html

You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.

From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.
0
 

Author Comment

by:kucelkj
ID: 35166797
Awesome, Thanks!
0
 

Author Closing Comment

by:kucelkj
ID: 35166805
Thanks so much for the help!!
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35167134
Glad I could help.
Rick
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Read about the ways of improving workplace communication.
Simple Linear Regression
Progress

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question