I am trying to create a shortcut to a program on our user's Start Menus. I am using GPO on a Server 2008 R2 domain controller, with the latest 1709 ADMX files.
The EXE that the shortcut needs to point to is located on a shared network drive that is restricted to our Accounts team using NTFS permissions.
During testing I found that simply adding the shortcut through Group Policy won't work, as the target EXE could not be found. I believe this is because the SYSTEM account that creates the shortcuts on the local machine has not got access to that location.
So I moved the shortcut creation GPO into the User Policy rather than Computer Policy, and told it to run as the logged-on user. This then failed because by default our users have not got security permissions on the "%AllUsersProfile%\Microsoft\Windows\Start Menu" folder.
Next I tried to add 'Everyone' and 'BUILTIN\Users' and granted them full control onto the "%AllUsersProfile%\Microsoft\Windows\Start Menu\" folder:
This created the shortcuts successfully. Great, I thought!
However, now users cannot pin anything to their Start Menu. The option is no longer in the Context Menu for them. (Start Menu is applied using an XML file to add locked groups, then users can add anything else but not touch the defaults. This was working correctly prior to me changing the folder permissions.)
So my question: How would you recommend going about doing this? I can see a couple of options:
> Adding the SYSTEM account to be able to access our Accounts share. Really not ideal as I don't understand the full implications of allowing this.
> Finding the correct permissions to allow start menu items to be added by users whilst retaining the 'Add to Start Menu' option in the Context Menu.
Thanks in advance for any assistance.