Remove Administrative Tools in Group Policy
-
Saturday, August 09, 2008 12:39 PMHi All,
I am configuring a Group Policy to lockdown terminal services users. It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu. How do I remove these?
Answers
-
Monday, August 11, 2008 9:30 AMModerator
Hi,
From your description, I understand you define a group policy to hide administrative tools from start menu. It works fine on terminal users except those belonging to Remote Desktop Users.
In order to further assist on this issue, could you please provide me the following information:
1) What group policy do you define to hide administrative tools from start menu?
2) Where do you apply this GPO? On the OU where terminal users locate or domain or elsewhere.
Please understand that we cannot apply group policy directly to a security group. In order to apply the group policy, we need to explicitly apply to the user objects under OU.
For more information, please refer to the question “Can I apply a Group Policy object directly to a security group?” in the following article:
Group Policy Frequently Asked Questions (FAQ)
http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx#ENAAC
3) Use a user account that belongs to Remote Desktop Users group to logon Terminal server and run 'rsop.msc'. Please check if the predefined policy has been indicated in RSOP console.
4) Also, ensure if you haven't defined WMI filter or security filter to block Remote Desktop Users.
- Marked As Answer by Morgan Che [MSFT]Moderator Friday, August 15, 2008 10:01 AM
All Replies
-
Monday, August 11, 2008 9:30 AMModerator
Hi,
From your description, I understand you define a group policy to hide administrative tools from start menu. It works fine on terminal users except those belonging to Remote Desktop Users.
In order to further assist on this issue, could you please provide me the following information:
1) What group policy do you define to hide administrative tools from start menu?
2) Where do you apply this GPO? On the OU where terminal users locate or domain or elsewhere.
Please understand that we cannot apply group policy directly to a security group. In order to apply the group policy, we need to explicitly apply to the user objects under OU.
For more information, please refer to the question “Can I apply a Group Policy object directly to a security group?” in the following article:
Group Policy Frequently Asked Questions (FAQ)
http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx#ENAAC
3) Use a user account that belongs to Remote Desktop Users group to logon Terminal server and run 'rsop.msc'. Please check if the predefined policy has been indicated in RSOP console.
4) Also, ensure if you haven't defined WMI filter or security filter to block Remote Desktop Users.
- Marked As Answer by Morgan Che [MSFT]Moderator Friday, August 15, 2008 10:01 AM
-
Friday, February 06, 2009 7:12 AMDear All,
I have terminal server policies applied to all TS servers and USERS
But i cannot find a Group policy option to hide Administrative tools from the Start menu.
it is showing in the Startmenu right above Printers for all users. i want to hide that from all users.
I'm using standard Startmenu for all users (not Classic)
Is there any way to hide that option?
As everyone saying nobody can perform any actions without rights, i do agree that
But certain Smart users try to read event logs and all
I want to hide Administrative tools from the Root Startmenu For all the users
All users are using Roaming Profile.
Please help GUys
Mathew Thomas
System Administrator
EHL
Dubai. -
Thursday, September 17, 2009 9:37 PM
I just tested this
Edit Group Policy the users are under...
You'll have to make the following registry settings replace the user's registry.
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
StartMenuAdminTools
Decial 0
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
StartMenuAdminTools
Decial 0 -
Tuesday, May 11, 2010 11:34 AM
That's the answer. Thank you!
-
Tuesday, February 22, 2011 12:49 PM
for Win SRV 2008 GPO place file
\PolicyDefinitions\DisableAdminTool.admx
<policyDefinitions revision="1.0" schemaVersion="1.0">
<policyNamespaces>
<target prefix="disableadmintool" namespace="Microsoft.Policies.disabladmintool" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<supersededAdm fileName="DisableAdminTool.adm" />
<resources minRequiredRevision="1.0" />
<supportedOn>
<definitions>
<definition name="SUPPORTED_NotSpecified" displayName="$(string.ADMXMigrator_NoSupportedOn)" />
</definitions>
</supportedOn>
<categories>
<category name="StartMenuAdministrativeToolsCustomADM" displayName="$(string.unknown_0)" />
</categories>
<policies>
<policy name="RemoveAdministrativeToolsfromStartMenu" class="User" displayName="$(string.unknown_1)" explainText="$(string.ADMXMigrator_UnresolvedString)" presentation="$(presentation.RemoveAdministrativeToolsfromStartMenu)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="StartMenuAdminTools">
<parentCategory ref="StartMenuAdministrativeToolsCustomADM" />
<supportedOn ref="SUPPORTED_NotSpecified" />
<elements>
<enum id="ADM_Configure" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="Start_AdminToolsRoot" required="true">
<item displayName="$(string.ADMoff)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.ADMon)">
<value>
<decimal value="1" />
</value>
</item>
</enum>
</elements>
</policy>
</policies>
</policyDefinitions>
and second file in \PolicyDefinitions\en-US\DisableAdminTool.adml
<policyDefinitionResources revision="1.0" schemaVersion="1.0">
<displayName>
</displayName>
<description>
</description>
<resources>
<stringTable>
<string id="unknown_0">Start Menu Administrative Tools(CustomADM)</string>
<string id="unknown_1">Remove Administrative Tools from Start Menu</string>
<string id="ADM_Configure">Set the Administrative Tools to:</string>
<string id="ADMoff">Hidden</string>
<string id="ADMon">Visible</string>
<string id="ADMhelp">Set Administrative Tools to be shown or hidden on the Start Menu. No need to delete the folder off your TS now! MMills - 30/03/10</string>
<string id="ADMXMigrator_UnresolvedString">This policy setting remove Administrative Tools from Start Menu.
If you enable this policy setting, remove Administrative Tools from Start Menu.
If you disable this policy setting, place Administrative Tools on Start Menu.
If you do not configure this policy setting, as default.
</string>
<string id="ADMXMigrator_NoSupportedOn">Remove Administrative Tools from Start Menu.</string>
</stringTable>
<presentationTable>
<presentation id="RemoveAdministrativeToolsfromStartMenu">
<dropdownList refId="ADM_Configure" defaultItem="0">Set the Administrative Tools to:</dropdownList>
</presentation>
</presentationTable>
</resources>
</policyDefinitionResources>
- Proposed As Answer by Conda86 Wednesday, June 01, 2011 10:46 AM
-
Thursday, March 03, 2011 8:15 PMI created the two files mentioned above and placed them in their corrasponding locations on my DC, how do i use them? If i try to add them via the GPO editer it does not list the file added.
-
Friday, March 04, 2011 1:26 PM
I test it and work fine.
If edit GPO - User Configuration -> Policies -> Administrative Templates: Pol......... -> Start Menu Administretive Tools (CustomADM)
here is Remove Administrative Tools from Start Menu
-
Friday, March 04, 2011 1:40 PM
Hi All,
I am configuring a Group Policy to lockdown terminal services users. It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu. How do I remove these?
The simplest way to do this is using GPP. Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !
- Proposed As Answer by Voldar Friday, March 04, 2011 1:41 PM
-
Thursday, April 21, 2011 5:57 PM
Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.
Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !
That worked brilliantly.
james . Curtis -
Wednesday, June 01, 2011 10:43 AM
This worked perfect. Thanks a million.
For thoose who have the same problem as i did importing this (knowing the whole path) It`s this:
For lokal policy
C:\Windows\PolicyDefinitionsFor domain policy
C:\Windows\SYSVOL\<domain>\policies\PolicyDefinitions\This is when C: is your system drive of course.
-
Wednesday, June 01, 2011 10:45 AM
Your problay should put the files here: C:\Windows\SYSVOL\<domain>\policies\PolicyDefinitions\
Maby you have done the same mistake i did, and putting them here: C:\Windows\PolicyDefinitions
- Proposed As Answer by Conda86 Wednesday, June 01, 2011 10:45 AM
-
Thursday, June 23, 2011 6:19 PMVoldar has the correct answer here.
-
Friday, August 12, 2011 4:03 PM
This works great, except it also removes the Administrative Tools from the server when I log into the server console. Is there anyway to make an exception so if the 'administrator' logs in, the GPP isn't enforced?Hi All,
I am configuring a Group Policy to lockdown terminal services users. It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu. How do I remove these?
The simplest way to do this is using GPP. Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !
-
Friday, August 12, 2011 5:27 PM
Set to "Deny" Apply policy in GPMC -- Advanced setings -- for the Administrators
" Never panic before reboot ! " -
Monday, August 15, 2011 10:52 PM
Windows 7 SP1 with IE9; DC's are Windows 2008 R2 SP1
I've tried both methods and it seems they result in setting a Preference - not a Policy - therefore, the user can still change the setting back.
I tired changing the admx file so the key would be Software\Policies\Microsoft\... (instead of Software\Microsoft\...) but then the setting wasn't enforced at all when applied to a test user.
I have run into this problem with other Policies that aren't being enforced for users, even though RSOP shows the setting being read and the GP is set to be enforced and applied to Domain Users of which my test user is a member.
Rick
-
Monday, August 29, 2011 7:11 PM
I have found a way that is working for us here on machines with Win7 SP1, IE9 and DCs with Win2008 R2 SP1.
First of all, User Preference settings in Group Policy do not work and are not applied when users log in, so setting up Start_AdminToolsRoot and StartMenuAdminTools in User Preferences had no effect.
I did look at the registry and admx files to see how the similar 'Recorded TV' is handled.
From there I came up with:
1. In GP -> Computer Configuration -> Preferencees, I configured a Registry key to be one-time created and called it NoStartMenuAdminTools, which is placed in this registry tree - Software\Microsoft\Windows\CurrentVersion\Explorer\Start Menu\Start Panel\ShowAdminTools\Policy
2. Created a custom admx/adml set that needs 3 pollicies in User Configuration:
The first enables the newly created NoStartMenuAdminTools - this removes the whole System Administrative Tools settings on the Properties Page of the Start Menu from displaying, but does not change any existing settings;
The remaining two policies I added in the custom admx/adml are described above, to disable the Start_AdminToolsRoot and StartMenuAdminTools keys - these were needed in case a user had already customized the display and will change their preferences back to the disabled state.
Rick
-
Tuesday, October 11, 2011 9:30 PM
Succesfull...!! Thanks a Lot...!
-
Thursday, November 03, 2011 10:20 AM
Voldar's solution does not work here. I can think of 2 things that might cause this:
1) Our terminal server is dutch. The DC's however are english and so are the group policies
2) We use loopback processing so the user GPO's are on the TS OU (not on the user OU) so they only apply on terminalsI suspect 1 to be the issue though. Looking into editing the GPO from the TS.
-
Wednesday, November 09, 2011 1:31 PM
Hi All,
I am configuring a Group Policy to lockdown terminal services users. It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu. How do I remove these?
The simplest way to do this is using GPP. Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !
That's did the trick.Note that GPP is only available on domain level, not on local machine...
http://blog.simaju.fr - Partage de connaissances et retour d'expériences. -
Saturday, January 21, 2012 12:15 PMAdministrative Tools shortcut is located at "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". Pl make copy of this shortcut for Administrator and Paste at location where normal users does not have access, like C:\ or Admin Profile Desktop as a backup. After Paste, just remove Administrative Tools shortcut from "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". Tested with user login and works. No need to play with GPO or Registry.
-
Wednesday, February 29, 2012 6:54 PM
Here's an option for you, as I am running Windows 2003 Server and none of the above worked for me.
On your terminal server, login as the domain administrator. Navigate to c:\documents and settings\all users\start menu\programs and Right click on the Administrative Tools. Set it to "hidden". This will prevent regular non-admin users from seeing the sub-menu options, but still allow an admin user to see them (provided you have the option on to show hidden items).
-
Monday, April 16, 2012 9:51 PMDon't even need to do that. Just remove "Authenticated Users" under Delegation and add the user/computer groups you want to be affected and then the admins won't get it removed. I don't like using explicit "deny" policies unless absoulutely necessary because too much can go wrong.
.png){kind=spacer}
