none
Remove Administrative Tools in Group Policy

    Question

  • Hi All,

    I am configuring a Group Policy to lockdown terminal services users.  It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu.  How do I remove these?
    Saturday, August 09, 2008 12:39 PM

Answers

  •  

    Hi,

     

    From your description, I understand you define a group policy to hide administrative tools from start menu. It works fine on terminal users except those belonging to Remote Desktop Users.

     

    In order to further assist on this issue, could you please provide me the following information:

     

    1) What group policy do you define to hide administrative tools from start menu?

     

    2) Where do you apply this GPO? On the OU where terminal users locate or domain or elsewhere.

     

    Please understand that we cannot apply group policy directly to a security group. In order to apply the group policy, we need to explicitly apply to the user objects under OU.

     

    For more information, please refer to the question “Can I apply a Group Policy object directly to a security group?” in the following article:

     

    Group Policy Frequently Asked Questions (FAQ)

    http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx#ENAAC

    3) Use a user account that belongs to Remote Desktop Users group to logon Terminal server and run 'rsop.msc'. Please check if the predefined policy has been indicated in RSOP console.

     

    4) Also, ensure if you haven't defined WMI filter or security filter to block Remote Desktop Users.

     

     

    Monday, August 11, 2008 9:30 AM

All replies

  •  

    Hi,

     

    From your description, I understand you define a group policy to hide administrative tools from start menu. It works fine on terminal users except those belonging to Remote Desktop Users.

     

    In order to further assist on this issue, could you please provide me the following information:

     

    1) What group policy do you define to hide administrative tools from start menu?

     

    2) Where do you apply this GPO? On the OU where terminal users locate or domain or elsewhere.

     

    Please understand that we cannot apply group policy directly to a security group. In order to apply the group policy, we need to explicitly apply to the user objects under OU.

     

    For more information, please refer to the question “Can I apply a Group Policy object directly to a security group?” in the following article:

     

    Group Policy Frequently Asked Questions (FAQ)

    http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx#ENAAC

    3) Use a user account that belongs to Remote Desktop Users group to logon Terminal server and run 'rsop.msc'. Please check if the predefined policy has been indicated in RSOP console.

     

    4) Also, ensure if you haven't defined WMI filter or security filter to block Remote Desktop Users.

     

     

    Monday, August 11, 2008 9:30 AM
  • Dear All,

    I have terminal server policies applied to all TS servers and USERS

    But i cannot find a Group policy option to hide Administrative tools from the Start menu.
    it is showing in the Startmenu right above Printers for all users. i want to hide that from all users.
    I'm using standard Startmenu for all users (not Classic)
    Is there any way to hide that option?
    As everyone saying nobody can perform any actions without rights, i do agree that
    But certain Smart users try to read event logs and all
    I want to hide Administrative tools from the Root Startmenu For all the users

    All users are using Roaming Profile.

    Please help GUys

    Mathew Thomas
    System Administrator
    EHL
    Dubai.
    Friday, February 06, 2009 7:12 AM
  • I just tested this

    Edit Group Policy the users are under...

    You'll have to make the following registry settings replace the user's registry.

    Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    StartMenuAdminTools
    Decial 0

    Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

    StartMenuAdminTools
    Decial 0

    • Proposed as answer by HåkanS1 Monday, June 04, 2012 6:59 AM
    Thursday, September 17, 2009 9:37 PM
  • That's the answer. Thank you!

    Tuesday, May 11, 2010 11:34 AM
  • for Win SRV 2008 GPO place file 

    \PolicyDefinitions\DisableAdminTool.admx

     

    <policyDefinitions revision="1.0" schemaVersion="1.0">

      <policyNamespaces>

        <target prefix="disableadmintool" namespace="Microsoft.Policies.disabladmintool" />

        <using prefix="windows" namespace="Microsoft.Policies.Windows" />

      </policyNamespaces>

      <supersededAdm fileName="DisableAdminTool.adm" />

      <resources minRequiredRevision="1.0" />

      <supportedOn>

        <definitions>

          <definition name="SUPPORTED_NotSpecified" displayName="$(string.ADMXMigrator_NoSupportedOn)" />

        </definitions>

      </supportedOn>

      <categories>

        <category name="StartMenuAdministrativeToolsCustomADM" displayName="$(string.unknown_0)" />

      </categories>

      <policies>

        <policy name="RemoveAdministrativeToolsfromStartMenu" class="User" displayName="$(string.unknown_1)" explainText="$(string.ADMXMigrator_UnresolvedString)" presentation="$(presentation.RemoveAdministrativeToolsfromStartMenu)" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="StartMenuAdminTools">

          <parentCategory ref="StartMenuAdministrativeToolsCustomADM" />

          <supportedOn ref="SUPPORTED_NotSpecified" />

          <elements>

            <enum id="ADM_Configure" key="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" valueName="Start_AdminToolsRoot" required="true">

              <item displayName="$(string.ADMoff)">

                <value>

                  <decimal value="0" />

                </value>

              </item>

              <item displayName="$(string.ADMon)">

                <value>

                  <decimal value="1" />

                </value>

              </item>

            </enum>

          </elements>

        </policy>

      </policies>

    </policyDefinitions>

     

    and second file in \PolicyDefinitions\en-US\DisableAdminTool.adml

     

    <policyDefinitionResources revision="1.0" schemaVersion="1.0">

      <displayName>

      </displayName>

      <description>

      </description>

      <resources>

        <stringTable>

          <string id="unknown_0">Start Menu Administrative Tools(CustomADM)</string>

          <string id="unknown_1">Remove Administrative Tools from Start Menu</string>

          <string id="ADM_Configure">Set the Administrative Tools to:</string>

          <string id="ADMoff">Hidden</string>

          <string id="ADMon">Visible</string>

          <string id="ADMhelp">Set Administrative Tools to be shown or hidden on the Start Menu. No need to delete the folder off your TS now! MMills - 30/03/10</string>

          <string id="ADMXMigrator_UnresolvedString">This policy setting remove Administrative Tools from Start Menu.  

     

    If you enable this policy setting, remove Administrative Tools from Start Menu.

    If you disable this policy setting, place Administrative Tools on Start Menu.

    If you do not configure this policy setting, as default.

    </string>

          <string id="ADMXMigrator_NoSupportedOn">Remove Administrative Tools from Start Menu.</string>

        </stringTable>

        <presentationTable>

          <presentation id="RemoveAdministrativeToolsfromStartMenu">

            <dropdownList refId="ADM_Configure" defaultItem="0">Set the Administrative Tools to:</dropdownList>

          </presentation>

        </presentationTable>

      </resources>

    </policyDefinitionResources>

    • Proposed as answer by Conda86 Wednesday, June 01, 2011 10:46 AM
    Tuesday, February 22, 2011 12:49 PM
  • I created the two files mentioned above and placed them in their corrasponding locations on my DC, how do i use them?  If i try to add them via the GPO editer it does not list the file added.
    Thursday, March 03, 2011 8:15 PM
  • I test it and work fine. 

    If edit GPO -   User Configuration -> Policies -> Administrative Templates: Pol......... -> Start Menu Administretive Tools (CustomADM)

    here is      Remove Administrative Tools from Start Menu   

    Friday, March 04, 2011 1:26 PM
  • Hi All,

    I am configuring a Group Policy to lockdown terminal services users.  It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu.  How do I remove these?


    The simplest way to do this is using GPP. Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.

    Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !

    • Proposed as answer by Voldar Friday, March 04, 2011 1:41 PM
    Friday, March 04, 2011 1:40 PM
  • Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.

    Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !


    That worked brilliantly.
    james . Curtis
    • Proposed as answer by Raymond-R Thursday, May 31, 2012 1:09 PM
    • Unproposed as answer by Raymond-R Thursday, May 31, 2012 1:09 PM
    Thursday, April 21, 2011 5:57 PM
  • This worked perfect. Thanks a million.

    For thoose who have the same problem as i did importing this (knowing the whole path) It`s this:

    For lokal policy
    C:\Windows\PolicyDefinitions

    For domain policy
    C:\Windows\SYSVOL\<domain>\policies\PolicyDefinitions\

    This is when C: is your system drive of course.


    Wednesday, June 01, 2011 10:43 AM
  • Your problay should put the files here: C:\Windows\SYSVOL\<domain>\policies\PolicyDefinitions\

    Maby you have done the same mistake i did, and putting them here: C:\Windows\PolicyDefinitions

    • Proposed as answer by Conda86 Wednesday, June 01, 2011 10:45 AM
    Wednesday, June 01, 2011 10:45 AM
  • Voldar has the correct answer here.
    Thursday, June 23, 2011 6:19 PM
  • Hi All,

    I am configuring a Group Policy to lockdown terminal services users.  It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu.  How do I remove these?


    The simplest way to do this is using GPP. Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.

    Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !

    This works great, except it also removes the Administrative Tools from the server when I log into the server console.  Is there anyway to make an exception so if the 'administrator' logs in, the GPP isn't enforced?
    • Proposed as answer by nicolanew Friday, April 11, 2014 1:48 PM
    Friday, August 12, 2011 4:03 PM
  • Set to "Deny" Apply policy in GPMC -- Advanced setings -- for the Administrators


    " Never panic before reboot ! "
    Friday, August 12, 2011 5:27 PM
  • Windows 7 SP1 with IE9; DC's are Windows 2008 R2 SP1

    I've tried both methods and it seems they result in setting a Preference - not a Policy - therefore, the user can still change the setting back.

    I tired changing the admx file so the key would be Software\Policies\Microsoft\... (instead of Software\Microsoft\...) but then the setting wasn't enforced at all when applied to a test user.

    I have run into this problem with other Policies that aren't being enforced for users, even though RSOP shows the setting being read and the GP is set to be enforced and applied to Domain Users of which my test user is a member.

    Rick

    Monday, August 15, 2011 10:52 PM
  • I have found a way that is working for us here on machines with Win7 SP1, IE9 and DCs with Win2008 R2 SP1.

    First of all, User Preference settings in Group Policy do not work and are not applied when users log in, so setting up Start_AdminToolsRoot and StartMenuAdminTools in User Preferences had no effect.

    I did look at the registry and admx files to see how the similar 'Recorded TV' is handled.

    From there I came up with:

    1. In GP -> Computer Configuration -> Preferencees, I configured a Registry key to be one-time created and called it NoStartMenuAdminTools, which is placed in this registry tree - Software\Microsoft\Windows\CurrentVersion\Explorer\Start Menu\Start Panel\ShowAdminTools\Policy

    2. Created a custom admx/adml set that needs 3 pollicies in User Configuration:

    The first enables the newly created NoStartMenuAdminTools - this removes the whole System Administrative Tools settings on the Properties Page of the Start Menu from displaying, but does not change any existing settings;

    The remaining two policies I added in the custom admx/adml are described above, to disable the Start_AdminToolsRoot and StartMenuAdminTools keys - these were needed in case a user had already customized the display and will change their preferences back to the disabled state.

    Rick

    • Proposed as answer by scdl Thursday, May 31, 2012 4:21 PM
    Monday, August 29, 2011 7:11 PM
  • Succesfull...!!  Thanks a Lot...!

    Tuesday, October 11, 2011 9:30 PM
  • Voldar's solution does not work here. I can think of 2 things that might cause this:

    1) Our terminal server is dutch. The DC's however are english and so are the group policies
    2) We use loopback processing so the user GPO's are on the TS OU (not on the user OU) so they only apply on terminals

    I suspect 1 to be the issue though. Looking into editing the GPO from the TS.

    Thursday, November 03, 2011 10:20 AM
  • Hi All,

    I am configuring a Group Policy to lockdown terminal services users.  It's coming along pretty good, except when I log on as a Remote Desktop User under the Group Policy, I still see Administrative Tools in the Start Menu.  How do I remove these?


    The simplest way to do this is using GPP. Go to User Configuration | Preferences | Control Pannel Settings | Start Menu.

    Right-click > New > Start menu (Windows Vista) and then browse till the Administrative tools and choose "Do not show this item". That's all !


    That's did the trick.

    Note that GPP is only available on domain level, not on local machine...


    http://blog.simaju.fr - Partage de connaissances et retour d'expériences.
    Wednesday, November 09, 2011 1:31 PM
  • Administrative Tools shortcut is located at "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". Pl make copy of this shortcut for Administrator and Paste at location where normal users does not have access, like C:\ or Admin Profile Desktop as a backup. After Paste, just remove Administrative Tools shortcut from "C:\ProgramData\Microsoft\Windows\Start Menu\Programs". Tested with user login and works. No need to play with GPO or Registry.
    Saturday, January 21, 2012 12:15 PM
  • Here's an option for you, as I am running Windows 2003 Server and none of the above worked for me.

    On your terminal server, login as the domain administrator. Navigate to c:\documents and settings\all users\start menu\programs and Right click on the Administrative Tools. Set it to "hidden". This will prevent regular non-admin users from seeing the sub-menu options, but still allow an admin user to see them (provided you have the option on to show hidden items).

    Wednesday, February 29, 2012 6:54 PM
  • Don't even need to do that. Just remove "Authenticated Users" under Delegation and add the user/computer groups you want to be affected and then the admins won't get it removed. I don't like using explicit "deny" policies unless absoulutely necessary because too much can go wrong.
    Monday, April 16, 2012 9:51 PM
  • Rather than messing with GPO or registry, I found the easiest way to accomplish this is to log into your RDS server as domain admin and change the NTFS permissions on the folder “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools”. I just removed inheritance and then removed all permissions for Everyone and Users. That way your admins still can access it, but any other RDS session user won't see any shortcuts for Admin Tools in the Start Menu anymore.
    • Edited by bvjens31 Friday, June 01, 2012 3:20 PM
    • Proposed as answer by MarkInternos Monday, June 18, 2012 2:55 PM
    Friday, June 01, 2012 3:20 PM
  • Great quick fix, thanks!
    Monday, June 18, 2012 2:56 PM
  • Perfect fix bvjens31 thanks!!!
    Monday, June 25, 2012 10:55 PM
  • Great!

    Thanks.

    Wednesday, June 27, 2012 9:34 PM
  • Hi There,

    I have no idea what Version of Windows you're using incase you are using Windows 2008 R2 and RDS server please try these steps below. It  works with my environment and I can login in different machine from WindowsXP/7/8 using Remote Desktop.

    Everything built-in in the GPO and no script no powershell no registry editor easy to manage.

    Please try  this work around.

    To hide to ordinary users the Administrative Tools in the startup and All program

             1. Create a GPO Policy using GPO Editor, Expand "User Configuration"

             2. Click   "Preferences" then " Control Panel and Settings"

             3. Click " Start Menu" and then in the right pane "define a New Start Menu for Windows Vista and later"

             4. Then under that Windows tab, scroll down all the items and please ensure the the following items are selected         "System administrative tools, Don't display ".

           5. Then stay default the rest of the setup.

           6. Then close the GPO Editor and assigned the GPO to the specific OU

           7. Then try to remote desktop and connect to the terminal server if the "Administrative Tools"  gone.

    The next step are hiding the "Administrative Tools" in the control panel

    1. Using GPO editor open the GPO policy that you created previously in the Server you want to connect runnning "RDS"

    2. Go to "User Configuration"

    3.Then click "Administrative Template" then "Control Panel"

    4. On the Right pane --> click "Hide Specified Control Panel Items" and edit

    5. Click "enabled" radio button and click "Show"

    6.In the Show content --> type the following in the Value "Microsoft.AdministrativeTools"   without " "

    7. Click OK and apply the GPO and save.

    8. Try to connect using ordinary user to the server and the link of "Administrative Tools" in the control panel gone.

    You can hide anything in the control panel using  Canonical Names of Control Panel Items  ,

    for Example ,

    Windowsupdate  = Microsoft.Windowsupdate

    Power Options   = Mirosoft.poweroptions

    I hope this help... Cheers!


    Tuesday, November 27, 2012 2:28 PM