Server 2016: GPO to customise Start Menu

#Chri5# · 5 Oct 2017 at 15:04

Building some new 2016 RDS Session Hosts.

To hide some of the default Windows tools, we'd normally use GPO and create policies under

Computer Configuration > Policies > Windows Settings > File System

By removing rights from the users, the shortcut goes for users but remains for accounts in the Administrator group

My first rule removes the Server Manager icon from the Start menu but the other two don't work (I'd like the second rule to remove the whole group, I tried referencing the specific link to see if that worked but no joy).

I've rebooted the Server as it's Computer Policy, deleted the VHD user profile disk for my test user so that gets a fresh profile.

Also, Windows dumps the "Windows Powershell" folder into the Start Menu for each user but that's not in the %AllUsersProfile% (C:\ProgramData) folder, so where the heck does that folder come from?

So, why don't all the rules work in the same way? And where does the extra PowerShell group come from?

Ricimer · 5 Oct 2017 at 17:19

Profile creation will add some folders to C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

#Chri5# · 5 Oct 2017 at 22:00

Where do those folders come from? I guess I could try removing the standard user ACL from where they end up but would be nice to block them at source.

glenimp617 · 10 Oct 2017 at 07:50

I designed our new RDS platform, starting right back during the 2016 beta. Learnt a lot over the months. Went live two months ago, really happy with it.
Search for my name "glen harrison" on the technet forums. I put a lot of info on there, esp with what you need to add to UPD in order for the start menu to work.

Maybe a few posts on here of mine, can't remember.

oh, and AppV 5.1 will be your friend for sure!

If you want, I'll paste my batch script on here. We use SCCM to build our RDS blade servers but there is a main batch file which does the start menu tidy work.

Make no mistake, it took me months and months of work to get into all the little nitty gritty parts of 2016 so users couldn't find a way of shutting the server down or doing anything silly. There's files to move, delete, rename, registry settings to change, services to disable (or enable) etc etc

glenimp617 · 10 Oct 2017 at 08:01

There is A LOT of group policies which do registry changes, services and the like but this might give you a boost

if %computername% == ******SH01 (set machine=M620v2)
if %computername% == ******SH02 (set machine=M620v2)
if %computername% == ******SH03 (set machine=M620v2)
if %computername% == ******SH04 (set machine=M620v2)
if %computername% == ******SH05 (set machine=M620v2)
if %computername% == ******SH06 (set machine=M620v2)
if %computername% == ******SH07 (set machine=M620)
if %computername% == ******SH08 (set machine=M620)
if %computername% == ******SH09 (set machine=M620)
if %computername% == ******SH10 (set machine=M620)
if %computername% == ******SH11 (set machine=M610)
if %computername% == ******SH12 (set machine=M610)
if %computername% == ******SH13 (set machine=M610)
if %computername% == ******SH14 (set machine=M610)
if %computername% == ******SH15 (set machine=M610)
if %computername% == ******SH16 (set machine=M610)

REM Installing Intel X520 Drivers for M610 and M620 Blades
if %machine% == M610 (
"%~dp0Intel X520 v22.3\APPS\SETUP\SETUPBD\Winx64\SetupBD.exe" /s
)

if %machine% == M620 (
"%~dp0Intel X520 v22.3\APPS\SETUP\SETUPBD\Winx64\SetupBD.exe" /s
)

REM Configuring NICS
copy "%~dp0%computername%.ps1" c:\scripts
powershell.exe -executionpolicy bypass -file c:\scripts\%computername%.ps1
reg import "%~dp0nicorder.reg"

ECHO Adding Shortcuts to the Default Desktop and Start Menu
copy "%~dp0Shortcuts\*.*" "C:\Users\Public\Desktop"
copy "%~dp0Shortcuts\*.*" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
copy "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" "C:\Users\Public\Desktop"
copy "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"

ECHO General Start Menu Tidy-Up
md "C:\StartMenuItems\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
move "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility" "C:\StartMenuItems\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
move "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance" "C:\StartMenuItems\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
move "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools" "C:\StartMenuItems\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
move "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell" "C:\StartMenuItems\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"

ECHO Microsoft Office 2016 Start Menu Tidy-Up
md "C:\StartMenuItems\Microsoft Office 2016\Microsoft Office 2016 Tools"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools" "C:\StartMenuItems\Microsoft Office 2016\Microsoft Office 2016 Tools"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk" "C:\StartMenuItems\Microsoft Office 2016"
md "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Project 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Visio 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"
move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016"

ECHO Securing Certain Microsoft Office 2016 Apps to Staff Only
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016\Outlook 2016.lnk" /deny "domain.com\students

r)"
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016\Project 2016.lnk" /deny "domain.com\students

r)"
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016\Skype for Business 2016.lnk" /deny "domain.com\students

r)"
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016\Visio 2016.lnk" /deny "domain.com\students

r)"
icacls "C:\Program Files (x86)\Microsoft Office\Office16\lync.exe" /deny "domain.com\students

rx)"
icacls "C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE" /deny "domain.com\students

rx)"
icacls "C:\Program Files (x86)\Microsoft Office\Office16\VISIO.EXE" /deny "domain.com\students

rx)"
icacls "C:\Program Files (x86)\Microsoft Office\Office16\WINPROJ.EXE" /deny "domain.com\students

rx)"

ECHO Copying Symmetry Shortcut to Start Menu and Securing to Staff Only
copy "%~dp0Symmetry.url" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symmetry.url" /deny "domain.com\students

r)"
md "C:\Windows\Sun\Java\Deployment\security"
copy "%~dp0trusted.certs" "C:\Windows\Sun\Java\Deployment\security"

ECHO Applying Start Layout XML Template
md "C:\StartMenuLayout"
copy "%~dp0StartLayout.xml" "C:\StartMenuLayout"

ECHO Remove Various Options from the Start Button Right-Click Context Menu
md "C:\StartMenuItems\WinX\Group2"
move "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk" "C:\StartMenuItems\WinX\Group2"
move "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk" "C:\StartMenuItems\WinX\Group2"
move "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3" "C:\StartMenuItems\WinX"

ECHO Copying Google Chrome First Run File to stop welcome screen
md "C:\Users\Default\AppData\Local\Google\Chrome\User Data"
copy "%~dp0First Run" "C:\Users\Default\AppData\Local\Google\Chrome\User Data"

ECHO Remove Windows Defender from Right-Click Context Menu
regsvr32 /s /u "C:\Program Files\Windows Defender\shellext.dll"

glenimp617 · 10 Oct 2017 at 08:06

You'll have to google these to find out what they do

Services

Registry (Computer)

Registry (User)

glenimp617 · 10 Oct 2017 at 08:09

also you'll probably want to export your rds server pool to an xml file, and then create a login script to use that same xml file for all your IT admins. If not, youll get them all moaning they cant use the brokers properly.

If you use gateway servers, enable the password change feature in IIS else users cant use it if they have the tick in their account for "change password at next logon"

#Chri5# · 10 Oct 2017 at 12:56

Cheers - the more I've been working on this, the more it seems GPO is missing lots of stuff for 2016. Trawling through the GPO settings Excel file turns up a option to hide the new Settings app but I think that kills Control Panel as well.

How do you handle hiding / removing Windows Administrative Tools in the Start Menu? I can't see it in your batch file. GPO setting permissions on the folder doesn't work, though I've not got as far as changing the folder permissions directly.

glenimp617 · 10 Oct 2017 at 13:06

#Chri5# said:
Cheers - the more I've been working on this, the more it seems GPO is missing lots of stuff for 2016. Trawling through the GPO settings Excel file turns up a option to hide the new Settings app but I think that kills Control Panel as well.

How do you handle hiding / removing Windows Administrative Tools in the Start Menu? I can't see it in your batch file. GPO setting permissions on the folder doesn't work, though I've not got as far as changing the folder permissions directly.

Let me have a quick look

glenimp617 · 10 Oct 2017 at 13:09

I added in a group containing all our users, then deny them read. IT admins are not members of that group.

#Chri5# · 10 Oct 2017 at 13:25

That's what I'm trying to use but the permissions on the actual folder never change.

%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools

Actually, don't see that location in your list - do you do something else to hide it?

glenimp617 · 10 Oct 2017 at 13:28

#Chri5# said:
That's what I'm trying to use but the permissions on the actual folder never change.

%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools

Actually, don't see that location in your list - do you do something else to hide it?

as I found out through trial and error, the folder names are not always what you think. Double click into a folder, then click the address bar at the top to see it's real name. It's a mind game!

glenimp617 · 10 Oct 2017 at 13:30

see

glenimp617 · 10 Oct 2017 at 13:32

If the permissions don't change, try logging in with a brand new account. The permissions might not work on cached accounts. Easier than deleting local profiles.

#Chri5# · 10 Oct 2017 at 13:57

Hah, I owe you a beer - hadn't spotted it's a symbolic link or similar to point to the actual folder Administrative Tools :rolleyes:

Works now

Now to clean up the stuff that goes into %Appdata%

glenimp617 · 10 Oct 2017 at 13:59

No worries, let me know if you need anything else. Like I say, I tested this for months before we launched it. Found some right gems.

also, make sure your print server has signed drivers on (mine didnt)

#Chri5# · 10 Oct 2017 at 14:16

Anyone that releases an unsigned driver should be taken and shot. Thankfully mainly Ricoh kit which all seems to a share common driver to make it easier for deploying via GPO.

glenimp617 · 10 Oct 2017 at 14:44

#Chri5# said:
Anyone that releases an unsigned driver should be taken and shot. Thankfully mainly Ricoh kit which all seems to a share common driver to make it easier for deploying via GPO.

Yeah, it was my printer guy who installed it and didn't check. Thought it was weird that our mapping policies only worked for admins and not staff till I realised. Had a feeling it was another 2016 oddity until I got the signed driver.