Note: The article below applies to all Windows operating systems in an Active Directory environment, I will be applying it to a Windows Server 2008 Terminal Server.
Overview
When setting up a Windows Terminal Server farm I try to lock things down as much as possible to prevent users tinkering with things they shouldn’t.
I also like to make things as easy to manage for the administrator as possible. This usually involves using Folder Redirection to redirect all users’ Start Menus to a common location on a file server so that it can be centrally maintained for all users. I also use desktop redirection so that users can access their desktop across multiple terminal servers and to keep their roaming profile small.
One of the lockdown policies I like to enable is under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar, this policy is called “Remove common program groups from Start Menu”.
This policy basically means that when I redirect the Start Menu for users, I have full control of their Start Menu, removing items in the All Users (Public) profile from the Programs menu on the Start menu which are not required by general users but may be required by Administrator users.
Issue
The problem with applying this policy, is that it also removes items from the All Users (Public) Desktop. This means that items in C:\Users\Public\Desktop (Windows Server 2008/Vista/7) or C:\Documents and Settings\All Users\Desktop (Windows Server 2003/XP) are not displayed for users to which this policy is applied.
Solution
Although scripts could be used to manually copy items to a users desktop on logon, I have found a much simpler solution.
Simply remove the Everyone and Domain User groups from the C:\ProgramData\Microsoft\Windows\Start Menu (Windows Server 2008) or C:\Documents and Settings\All Users\Start Menu (Windows Server 2003) folders as follows. You will need to remove inheritance to apply these permissions.
Now, set the User Configuration > Policies > Administrative Templates > Start Menu and Taskbar > Remove common program groups from Start Menu policy to “Not configured”.
Users will still be limited to the redirected Start Menu but you will simply be able to add items to users desktops globally by copying them to C:\Users\Public\Desktop on each server.
Hi,
Does this only work for terminal services?
Have you discovered a way for domain clients?
I’m currently trying to get the desktop and start menu customised from a central Server 08 R2 DC.
Thanks!
Matt
Link | June 8th, 2010 at 2:02 pm
Hi Matt,
This method will work for any domain computer with the correct start menu and desktop folder redirection policies applied however items will need to be added to each domain computers All User/Public Desktop folder.
In this scenario I have manually copied the required Desktop items to the Public Desktop folder on each terminal server.
Are you aiming to have all users share a single common Start Menu and desktop or do you just want to add certain items to users desktops? If this is the case then you may want to explore using the new Group Policy Preference policies in Windows Server 2008/2008 R2 to place items on users desktops or Start Menus. Note that this will require ensuring your Group Policy Client Side Extensions are up to date on any Windows XP clients.
Link | June 8th, 2010 at 2:18 pm
Thanks Sam!
I am aiming to have a single common start menu and desktop….
I havent gotten to the start menu yet…but I will need to…this is what I have done so far..
In group policy I have set the following:
User Config>Folder Redirection > Desktop
Setting = Basic , Target = Redirect to location, \\SERVER\Folder\Folder\Desktop
Then I have set the permission on the above Desktop folder as read only. I dont want users to save or add to the desktop…But unfortuantely it doesnt work.
Link | June 8th, 2010 at 2:41 pm
When you are configuring the Desktop Folder Redirection policy Properties, in the Settings tab, make sure you untick “Grant the Exclusive rights to Desktop.”
Also untick “Move the contents of Desktop to the new location.”
If you are dealing with older XP clients you will also need to tick “Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.
Link | June 8th, 2010 at 3:31 pm
Thanks Sam,
I have set those options, turns out the permissions on the Desktop folder needs to be …Domain Admins = Full Control and Domain Users = Read only.
That fixed the desktop icons issue.
Now I have to work on the start menu. Any Ideas where to start with that?
Cheers!
Link | June 9th, 2010 at 9:22 am
Well if you have a fully redirected desktop and don’t mind losing the “All User” items on client computers then simply enabled Start Menu redirection to a common location exactly as you did with the Desktop and set the User Configuration > Policies > Administrative Templates > Start Menu and Taskbar > Remove common program groups from Start Menu policy to “Enabled”.
I usually copy a Start Menu from a client computer to form the basis of the shared redirected Start Menu.
Link | June 9th, 2010 at 2:00 pm
Thank you for this! It has helped me solved something that has bothered me for a while now.
Link | August 12th, 2011 at 2:03 am
Just what I was looking for, thank you!
One additional comment: I suddenly from one moment to the next had the problem that the start menu’s programs items would show up completely empty, But when clicking right and opening it in explorer it would view all items.
This I resolved by allowing authenticated users read access to the “all users\start menu” again, but instead setting security to “this folder only”.
I then removed the few items that where at the top and placed them into the program’s folder.
It seems that not being able to view the program’s folder inside was what bugged it (server 2003).
Link | September 25th, 2011 at 12:07 am
What I often use is óne(!) mandatory profile. With a custom startmenu and folder redirections. Only one profile to worry about. When they need a shortcut I just place it in there and the next time they log on they have it! You can do this by sharing the profile. Be sure you make a backup and carefull with the rights.
Link | November 28th, 2011 at 9:21 pm