none
Script to kill Maintenance Start menu group for regular (non-admin) users

    Question

  • I posted in another forum (http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cdf729ca-953d-4c34-be41-06800b3dc157) and they suggested I make a post here because a script may be the solution to my problem.

    I want to eliminate the Maintenance program group in the Start menu on Windows 7 PCs for, preferably, only non-admin users.  I could probably add a vbscript to our users' logon GPO if it could 1) check if that folder exists in their profile and 2) if it does exist, to delete it.  That way if the folder has already been deleted, it won't show them an error message.  That's just my idea, you guys may have a better idea.

    Can anyone help me with this?  Appreciate the help.

    • Moved by Bill_Stewart Wednesday, November 21, 2012 10:41 PM Move to more appropriate forum (From:The Official Scripting Guys Forum!)
    Wednesday, November 21, 2012 5:43 PM

Answers


  • Looks like removing Users and Everyone from C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance worked, as now there is only a Maintenance folder containing "Help and Support", which I'm assuming it is getting from C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance then adding to the user's local copy of the Start Menu since I see this in C:\Users\UserLoggedOn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance .  Is that really where it's pulling it from and doing or something else?


    Current User and Default User (= AllUsersProfile) are merged together. And Current User is (at first logon) populated from "Default" (directory is copied to current user).

    No - I believe that that comes from teh registry which is another method of injecting items into teh start menu or any other menu.  This protects it from being altered, deleted or moved which allows Microsoft to always note that help is available from the start menu.


    No, there's no registry involved in start menu items. It's all file and folder based stuff...

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by RJO22 Friday, November 23, 2012 11:34 PM
    Thursday, November 22, 2012 11:39 AM

All replies

  • Why would you need to do that?

    Bill

    Wednesday, November 21, 2012 5:49 PM
  • A decision was made here to just eliminate the folder altogether, rather than leaving it there for them to get into, even though without administrator permissions they can't do 90% of the items they can get to through all the items inside Maintenance.
    Wednesday, November 21, 2012 5:50 PM
  • Adjust the permissions on the folder usign Group Policy to not allow the Everyone group to list the folder contents. Admins have full access by default.  This will not hide the menu item but will hide its contents from all but admin users.

    This is not a scriping issue but an issue of basic Windows management which should be posted in the platform forum for the OS in question.


    ¯\_(ツ)_/¯


    • Edited by jrv Wednesday, November 21, 2012 6:06 PM
    Wednesday, November 21, 2012 6:06 PM
  • As you note, non-admins can't administer the machine, and in either case, anyone can run the programs whether the shortcuts are there or not. I don't see the point of removing it.

    You're going to run into problems trying to use a script to delete this directory (\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance) because it can only be modified by members of administrators anyway, and it would require elevation to delete it.

    Bill

    Wednesday, November 21, 2012 6:07 PM
  • Hi jrv.  I did post the question in the platform forum of the OS in question, and they let me hear.  Do you know what gp setting exactly allows me to do what you described?
    Wednesday, November 21, 2012 6:11 PM
  • Right, but through this path, they can get into the uninstall program area, and there are some programs that will allow an uninstall without admin rights.  Not a huge issue, but an issue nonetheless, and we'd just like to avoid them seeing it in general.  Sounds like jrv may have a GPO based solution though, hopefully he can tell me where exactly I can set something like that, as i'm not real familiar with Win7 GPOs yet.
    Wednesday, November 21, 2012 6:13 PM
  • Right, but through this path, they can get into the uninstall program area, and there are some programs that will allow an uninstall without admin rights.  Not a huge issue, but an issue nonetheless, and we'd just like to avoid them seeing it in general.  Sounds like jrv may have a GPO based solution though, hopefully he can tell me where exactly I can set something like that, as i'm not real familiar with Win7 GPOs yet.

    #1 You can use the security component of a GPO to set security on any file or folder by path name.

    #2 Use Softwore REstrictionPOlicies to set restrictions on the programs you do not want users to execute.  They will receibve a nmessage that says program is blocked and to call admin if you need access.

    You will need to post in teh GP forum for more detailed assitance if you need it.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 6:23 PM
  • I hear ya jrv, don't worry, not trying to make this a bigger deal than it needs to be.  I'll look into the group policy that will allow me to remove the everyone permissions from the Maintenance start menu folder for all users. 

    I feel kinda bad now that the MSFT CSG who replied to my original forum post told me to come here to ask for help on how to eliminate that folder with a script.  Would be easy to delete it if it exists by adding it as a logon script via GPO to all the users who don't need it, but sounds like that isn't the right way to go about it.  Sorry to bother you guys.

    Wednesday, November 21, 2012 6:30 PM
  • YOu asked the wrong question.  The question should be "How do I set security on files and folders via GP.

    Alternate.  "How do I restrict software via GP." 

    If you ask about a scritp you will be sent here even if it is the scritp for a movie.  YOu have to ask the correct question.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 7:16 PM
  • Think of it this way - you are setting a policy fo ruser. Users are not allowed access to certain programs and folders.  From that perspective GP people will be able to help you.  They cannot be of much help if you tell them how you want to do something.

    Policy is policy.  Group Policy is for enforciong policy.  It can do most things very easily.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 7:19 PM
  • jrv,

    From my original post, where the MSFT guy told me to post here about the script I asked about, here is my original question:

    "Is there a group policy I can apply that will hide the Maintenance programs group for my users?"

    I believe I asked the correct question originally, don't you think?

    Wednesday, November 21, 2012 7:24 PM
  • I believe I asked the correct question originally, don't you think?

    Yes. I have no idea why they'd tell you to ask here (in a scripting forum).

    Bill

    Wednesday, November 21, 2012 7:34 PM
  • jrv,

    From my original post, where the MSFT guy told me to post here about the script I asked about, here is my original question:

    "Is there a group policy I can apply that will hide the Maintenance programs group for my users?"

    I believe I asked the correct question originally, don't you think?

    Your question is ambiguous. What maintenance programs?  What are you trying to hide?  Icons? Files? shortcuts?

    Maintenance programs is very gene5ral and does not realy tell anyone what you are trying to do.

    YOu need a policy to restrict access to certain programs. <list of program or path to programs>.

    Your question could be "How do I restrict access to programs with Group Policy."

    OR - "How do I restrict access to start mentu items with Group Policy."

    Unfortuanately soem in the GP forum have not yest learned how to use GP so you may need to wait for an answer.

    Of course you could always just use a search engine and find your own answer.

    30 seconds with Google finds this: http://support.microsoft.com/kb/324036?wa=wsignin1.0


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 7:40 PM
  • Me either, especially since there appears to be a GPO that could do it.
    Wednesday, November 21, 2012 7:42 PM
  • 30 seconds more searching for file security policy gets this:http://mcpmag.com/articles/2008/10/13/file-permissions-thru-group-policy.aspx

    The most important thing is to spend more time learning the fundamentals of Windows Administration. Almost all of this stuff has been part of WIndows since NT4 or at least Windows 2000SP2.  Apparently no admins are being certified anymore as all of this is part of the certification for network administration.  Even if you don't want to become certified you shoul at least purchase a used copy of the training for teh MCSE cert and study it.  Yu can habve any one of my used copies for the cost of shipping or purchase them from Amazon for a few dollars.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 7:45 PM
  • First, I didn't say "maintenance programs" as you stated, I said "Maintenance porgrams group" which is fairly clear, but if not, the title of my original post is "GPO to hide the Maintenance and Games groups in the Start menu".  I think that clears up the proposed ambiguity you're alluding to.

    That's also why I included the URL to that post in my original post of that thread.

    I appreciate your response jrv, as ultimately that was what I was trying to find out originally before I was sent down this wrong path.

    Honestly, I never would have thought to google "software restriction policies" when all I really wanted to do was kill a folder containing shortcuts to software out of the Start menus for my users.

    Thanks for your help, I'll try to figure it out on my own from here on out.

    Wednesday, November 21, 2012 7:48 PM
  • ... all I really wanted to do was kill a folder containing shortcuts to software out of the Start menus for my users.

    As pointed out previously, this does not increase security at all, since a user can still run the program, even if there's no shortcut to it on the Start menu. This is why I said it is basically pointless to delete the directory containing the shortcuts.

    Bill

    Wednesday, November 21, 2012 7:53 PM
  • Again, your approach to conquering the problem is different.  While restricting permissions to each individual app will work, you also have to consider the environment and, most importantly, really all that I'm trying to accomplish. 

    Essentially, my problem is I'm not sure how to automate the checking for and deleting of C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs via a script which I could set to run at logon.  That is why in my first post, I mentioned how I need "a vbscript .... 1) check if that folder exists in their profile and 2) if it does exist, to delete it".

    But had I just plainly asked for a sample of a script that checks if a folder exists and if it does delete that folder, I never would have found out about the GPO possibilities you mentioned.  That's why it's always good to make detailed forum posts.

    This will be my last reply on the topic, as I don't want to "beat a dead horse" as the saying goes.

    Wednesday, November 21, 2012 7:54 PM
  • I totally agree with you this really does nothing from a security perspective Bill.  Purely a "cosmetic" fix IMO, but it is what it is, and I need to do it still.
    Wednesday, November 21, 2012 7:56 PM
  • Again, your approach to conquering the problem is different.  While restricting permissions to each individual app will work, you also have to consider the environment and, most importantly, really all that I'm trying to accomplish. 

    Essentially, my problem is I'm not sure how to automate the checking for and deleting of C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs via a script which I could set to run at logon.  That is why in my first post, I mentioned how I need "a vbscript .... 1) check if that folder exists in their profile and 2) if it does exist, to delete it".

    But had I just plainly asked for a sample of a script that checks if a folder exists and if it does delete that folder, I never would have found out about the GPO possibilities you mentioned.  That's why it's always good to make detailed forum posts.

    This will be my last reply on the topic, as I don't want to "beat a dead horse" as the saying goes.

    Your understanding of Windows is, once again, incorrect.

    There is no user menu for that.  The admin programs are all stored in the AllUsers profile and appear, as if by magic, in every users start menu.  YUO cannot delete thenm from teh individual user as they do not exisit the4re.  Yu must change the permisisons s on AllUsers start menu to disallow listing of the folder by the EveryOne group.

    YOU seem to thing thiese menus are in teh roaing proofile.  They will not be ther eunless someone has puposely copied then to teh raoming profile.  Menus do not roam.

    I think the menu you are looking for is here: C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance

    Just add this to GP under Computer policy and remove the Everyone Group.

    Changes to the users personal menu will not or should not be roamed.  They will likley point to a program on the local machine although we can define a menu that is replicated witht eh profile.  The best way to do this is by redirecting the 'Start Menu' to a known place on a network share.  Users can be redirected to the same start menu so custom extensions to the start menu can be built an customized by group or jobe description.

    Here is a picture:

    The path is arrived at by pasting or by navigation. On WS2008 and later we can grab the ALlUsers and it will be the same ebevery where except on WS2003 and XP.  A separate policy entry can be made for the XP systems.

    Inthis example I have removed 'Users'; from the DACL (I had said it was Everyone and I believe it is on XP).  Once this is removed users will have no access to this menu.  They can still navigate to the programs which is why we prefer setting a restriction policy on only the specific program you wish to restrict.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 8:59 PM
  • I just remembered that you can set a GP that disallows all non-admins from using the installer under any circumstances.  Once we set this the installer is blocked for all users except admins.  This may be what you need.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 9:03 PM
  • That incorrect path was the one given to be my the MSFT person who replied to my other post, sorry. 

    But you are correct, C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance is the folder which contains the shortcuts that I do not want in my regular users Start menu.  I would like to keep it for when users with Admin rights log on though.  That why i didn't want to delete that folder in it's entirety.

    Wednesday, November 21, 2012 9:15 PM
  • That incorrect path was the one given to be my the MSFT person who replied to my other post, sorry. 

    But you are correct, C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance is the folder which contains the shortcuts that I do not want in my regular users Start menu.  I would like to keep it for when users with Admin rights log on though.  That why i didn't want to delete that folder in it's entirety.

    Just change the permissions on the folder by removing Users.  You will see that this will block all user except admins from access.  You can do this manually to test and then creaete a GPO to propagate it.

    The GPO hasw to be applied to teh Computer object in the OU where the computer lives.  You must choose to override inheritance.

    This thread should bemoved to the GP forum for the remainjder of this excercise.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 9:32 PM
  • Looks like removing Users and Everyone from C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance worked, as now there is only a Maintenance folder containing "Help and Support", which I'm assuming it is getting from C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance then adding to the user's local copy of the Start Menu since I see this in C:\Users\UserLoggedOn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance .  Is that really where it's pulling it from and doing or something else?

    think i'm all set now guys, even though we got off topic for a scripting forum.

    Wednesday, November 21, 2012 10:09 PM
  • Looks like removing Users and Everyone from C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance worked, as now there is only a Maintenance folder containing "Help and Support", which I'm assuming it is getting from C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance then adding to the user's local copy of the Start Menu since I see this in C:\Users\UserLoggedOn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance .  Is that really where it's pulling it from and doing or something else?

    think i'm all set now guys, even though we got off topic for a scripting forum.

    No - I believe that that comes from teh registry which is another method of injecting items into teh start menu or any other menu.  This protects it from being altered, deleted or moved which allows Microsoft to always note that help is available from the start menu.


    ¯\_(ツ)_/¯

    Wednesday, November 21, 2012 11:08 PM

  • Looks like removing Users and Everyone from C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance worked, as now there is only a Maintenance folder containing "Help and Support", which I'm assuming it is getting from C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance then adding to the user's local copy of the Start Menu since I see this in C:\Users\UserLoggedOn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance .  Is that really where it's pulling it from and doing or something else?


    Current User and Default User (= AllUsersProfile) are merged together. And Current User is (at first logon) populated from "Default" (directory is copied to current user).

    No - I believe that that comes from teh registry which is another method of injecting items into teh start menu or any other menu.  This protects it from being altered, deleted or moved which allows Microsoft to always note that help is available from the start menu.


    No, there's no registry involved in start menu items. It's all file and folder based stuff...

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marked as answer by RJO22 Friday, November 23, 2012 11:34 PM
    Thursday, November 22, 2012 11:39 AM
  • Help & Support are defined in the registry and not in the file system.  A great many menu items are and can be defined in the registry.

    Default is only merged when the profile is first created.  It plays no role after that.   The hive from 'Default' is used to define default values that are initialized per user.  AllUsers overrides most settings.

    See MS documentation.


    ¯\_(ツ)_/¯

    Thursday, November 22, 2012 3:42 PM
  • Are you a troll?
     
    > Help & Support are defined in the registry and not in the file
    > system.  A great many menu items are and can be defined in the registry.
    >
     
    We are talking about "Maintenance", not "Help and support".
     
    > Default is only merged when the profile is first created.  It plays no
    > role after that.   The hive from 'Default' is used to define default
    > values that are initialized per user.  AllUsers overrides most settings.
    >
     
    No, default is _NEVER_ merged, it is copied. And the "hive from default"
    (you mean registry?) belongs to SYSTEM and has NOTHING to do with the
    current user.
     
    > See MS documentation.
    >
     
    Do so on your own and you will get enligthened ;)
     
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, November 22, 2012 8:51 PM
  • Are you a troll?
    > Help & Support are defined in the registry and not in the file
    > system.  A great many menu items are and can be defined in the registry.
    >
    We are talking about "Maintenance", not "Help and support".
    > Default is only merged when the profile is first created.  It plays no
    > role after that.   The hive from 'Default' is used to define default
    > values that are initialized per user.  AllUsers overrides most settings.
    >
    No, default is _NEVER_ merged, it is copied. And the "hive from default"
    (you mean registry?) belongs to SYSTEM and has NOTHING to do with the
    current user.
    > See MS documentation.
    >
    Do so on your own and you will get enligthened ;)

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

    Martin - go back and read the OPs statement about Help & Support. Some - not all - menu items can be defined in the registry and will not be affected by changes to the folders in the file system.

    The "default" profile contains settings that are copied into any newly created profile.  It contains or is a template for the creation of new users and for certaain defaiult hive values that may be overridden in  a user profile.

    We use this or the network version to create preconfigured user profiles.

    Example.  If I place an Iconon the desktop of teh Default user profile then creatre a new local user the users desktop witll have a COPY of the icon in the default profile.  I generally modifguy th e default profile to contain many customizable settings that I want all local user profiles to have initially.

    The network default profile serves a simialr purpose for domain accounts and is copied the first time a domain user logs in.

    See instructions here: http://www.windowsitpro.com/article/tips/how-can-i-set-the-default-domain-user-profile-

    Most techs who are not trained in Windows do not know about these profiles or how they are used.

    The "AllUsers" profile is a profile whch is used to store settings that we want to show up in every profile.  AllUsers is dynamically merged with the users profile at login or is queried inparallel with teh users profile (hive too). It is dynamic and can be changed at any time.  The change will be available immediately in the user profiles as long as the user does not define a competing value which may be redundant or may override the AllUsers values and objects.

    Remember that a profile is all files and folders in the users local store including the loaded hive USER.DAT along with 1 or more hives that can be stored in the file location .  The user profile also logically includes AllUsers and the Default user hive settings that are not overridden.

    The AllUser profile does not have a hive. 

    I have found very few tech who understand how this works or how useful it is.

    Note that I wrtote that AllUsers is merged and defaiult is copied on the first logon for a local account and for a domain account the first time it is used assuming a roamed copy is not available.  Not setting up a network default profile can have some very interesting consequences if you intend to roam a profile. Careful design of this is recommended.  Careful use of Group Policy folder redirection can also make this very useful.

    .


    ¯\_(ツ)_/¯


    • Edited by jrv Saturday, November 24, 2012 2:29 AM
    Thursday, November 22, 2012 10:58 PM