Solved

Hide "Administrative Tools" from a group of non-administrator users via Group Policy

Posted on 2011-03-13
7
1,541 Views
Last Modified: 2013-12-04
I’m running Terminal Services on a Windows 20003 R2 server.  The server is a domain controller as well.
I'm trying to do two things with this server:
1. Hide "Administrative Tools" from a group of non-administrator users via Group Policy.  Is that possible?  I saw registry changes on the net but prefer to do it through a GPO.

2. Disallow savvy users from running the commands in "Administrative Tools" such as dsa.msc, dssite.msc and domain.msc from a command prompt or start->run.  Again, I'd like to do this with a GPO.

Thanks,

-Ken
0
Comment
Question by:kucelkj
  • 4
  • 3
7 Comments
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35122452
From: http://www.brianmadden.com/forums/t/19270.aspx

Open the GPO in gpedit.msc and go to:

User Config\Administrative Templates\Windows Components\Microsoft Management Console\ and restrict access to author mode and any MMC snap ins you don't want them to get to.

Be sure that the computer side is in loopback mode if you don't already have a policy on your TS OU that does this:

Computer Config\Administrative Templates\System\Group Policy\User Group Policy Loopback Processing Mode = enabled.

Once the policy is created, it is a good idea to deny apply rights to the administrative staff that supports the server.
0
 

Author Comment

by:kucelkj
ID: 35122691
AustinComputer,

I've found this solution after I posted the question but thanks for you help.  This addresses question 2.  Do you have any advice for question 1?

Thanks,

-Ken
0
 

Author Comment

by:kucelkj
ID: 35122757
Okay, that solution did work!! :)  Thanks!

Now, is there a way to hide it so it doesn't even appear?
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 13

Accepted Solution

by:
AustinComputerLabs earned 500 total points
ID: 35122788
From: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26491683.html

You can also hide it from in the All Programs Menu and Start Menu using the instructions below using local group policy on the TS. However hiding it does not block access, and users can also access from the control panel. You can use an existing GPO to block access to the control panel.

From: http://www.sevenforums.com/tutorials/8891-administrative-tools-add-remove-start-menu.html
1. Open the Start Menu, then type regedit in the search box and press Enter.
2. If prompted by UAC, then click on Yes.
3. In regedit, navigate to the location below. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

To Not Display "Administrative Tools" in All Programs Menu and Start Menu
A) In the right pane of Advanced, double click on Start_AdminToolsRoot, type 0 (number zero), and click on OK.
NOTE: If the Start_AdminToolsRoot DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in Start_AdminToolsRoot and press enter.
B) In the right pane of Advanced, right click on Start_AdminToolsTemp, click on Delete, and click on Yes.
C) In the right pane of Advanced, double click on StartMenuAdminTools, type 0 (number zero), and click on OK.
NOTE: If the StartMenuAdminTools DWORD is not here, then right click on a blank space in the right pane of Advanced, click on New and DWORD (32-bit) value, type in StartMenuAdminTools and press enter.
0
 

Author Comment

by:kucelkj
ID: 35166797
Awesome, Thanks!
0
 

Author Closing Comment

by:kucelkj
ID: 35166805
Thanks so much for the help!!
0
 
LVL 13

Expert Comment

by:AustinComputerLabs
ID: 35167134
Glad I could help.
Rick
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question