Home > Group Policies, Microsoft Terminal Services, Remote Desktop Services, XenApp > Windows 2008 R2 RDS (XenApp 6) – restrict the user desktop

Windows 2008 R2 RDS (XenApp 6) – restrict the user desktop

October 11, 2010 Leave a comment Go to comments

I have done some XenApp 6 deployments the last weeks and often published the server desktop for the users. With Windows 2003 it was easy to hide the “All Users” components, so that users didn’t see the links on the desktop or the Administrative Tools folder in the start menu.

With Windows 2008 R2 it’s a bit different, the well known group policies don’t work for Windows 7 / 2008 (R2). By default users see the “Administrative Tools” folder in the start menu and the “Server manager” and “Powershell” links pinned on their taskbar.

image

To prevent users from seeing this Administrative Tools, do the following:

Create a group policy or use an existing one for your RDS (XenApp) servers

  • Go to User configuration > Preferences > Windows settings > Registry
  • Create two new Registry items with the following settings:
image Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\ Explorer\Advanced
Value Name: StartMenuAdminTools
Value type: REG_DWORD
Value data: 0
image Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\ Explorer\Advanced
Value Name: Start_AdminToolsRoot
Value type: REG_DWORD
Value data: 0
image It’s important to configure the setting “Run in logged-on user’s security context” for both registry items

During the first logon of a user, two links (Server Manager and Powershell) are created in the task bar of the user profile. They are copied from the following location:

  • “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
  • “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\”

To prevent the links from being created do the following:

  • Create a group policy or use an existing one for your RDS (XenApp) servers
  • Go to Computer configuration > Policies> Windows settings > Security Settings > File system
  • Add file… and select “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk”
  • Change the security, so that only selected users or groups (administrators) and the SYSTEM have rights
  • Do the same with “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk”

Advertisements
  1. TK
    January 13, 2011 at 17:09

    Thanks for this!
    This finished my 2008r2 RDS server

  2. February 1, 2011 at 15:58

    thanks! this finished my 2008 RDS server as well 🙂

  3. Bill C.
    May 12, 2011 at 22:49

    Me, as well! Thanks so much!!

  4. September 29, 2011 at 02:59

    We’ll this is a great post
    Finished my XenApp 6 deployment on Windows 2008 R2

    Cheers,

  5. agenty
    October 9, 2011 at 09:03

    10x. worked for me

  6. Anonymous
    November 16, 2011 at 11:22

    Hi,
    I tried this solution and now everytime i try to log into that specific Xenapp server, i am only logged into a temporary profile. Any idea what might be causing this?? Or how can i revert back because i did but still i am being logged using a temporary profile.

  7. Mocxe
    November 22, 2011 at 03:30

    Thank you for yout TIP it works 100% and as it is GPO you can apply to anny server on the farm

  8. Anonymous
    November 25, 2011 at 21:39

    Thanks a bunch, it worked great.

  9. Anonymous
    December 7, 2011 at 12:08

    As alternative you can use gp preferences to control the visibility of the admin tools and the rest of the start menu shortcuts too 🙂

  10. Anonymous
    January 10, 2012 at 16:57

    Thanks a lot for these infos. You just saved me an huge amount of time! I have been trying to get this to work for quite some time.

  11. Bhaskar
    March 20, 2012 at 20:58

    Hi,
    My name is Bhaskar, i am facing a new problem in my 2008 R2 Standard edition server. the problem is when i login to server as administrator i can get only command prompt option and Task manager option. I am not able to find taskbar (Start menu) and desktop icons. Is there any policy is applied, if it is so how to remove and how to apply the policy.
    can any one help me.

  12. Anonymous
    March 21, 2012 at 00:09

    I just hide task bar icons from User Configuration\Administrative Templates\Start Menu and Taskbar:

    Remove pinned programs from the Taskbar

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: