 | |
| |
| 01 Mar 2013 | #1 |
| | Local group policy start menu programs Trying to restrict non-admin users from seeing a lot of programs under the Start Menu. Already using the GPO for non-admin users and I'm hoping there is an area I can achieve the above. So the idea is admin account sees all the programs as normal, non-admin user restricted to only seeing a few programs on the Start menu. Can I achieve this through local group policy and if so where Thanks |
My System Specs | |
| 01 Mar 2013 | #2 |
| | If this is for a home, then it would be simpler to move the shortcuts from all users start menu* to the admin profile(s)**. However, hiding the shortcuts by moving them or via GPO (if there is a way to do that) would not stop users from starting the program via the Windows (file) Explorer. GPO can restrict a user from running a program. In theory, this should work no matter how the user attempts to run the forbidden program. In reality, they are ways to start some programs restricted by GPO. That is why I wondered if this is for a home - then we might be talking about adults vs. children. *C:\ProgramData\Microsoft\Windows\Start Menu\ **C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu |
| My System Specs |
| 02 Mar 2013 | #3 |
| | No this is a corporate setup. They simply want the users not to see the clutter under Start menu/Prgrams (C drive is hidden from them also) I agree that moving the shortcuts if fine but I am deploying a Win 7 build through SCCM. During the build I run a VBscript to do the copying/moving which means at the time of running there are no account profiles other than the local administrator. Problem is they (the company) want the built in Administrator account to be disabled and then another admin account setup so although I could indeed simply copy the shortcuts from default user to administrator then they would no longer see them under the new admin account. Hence why I though the local GPO route (if it can be done !!) would be perfect |
| My System Specs |
| . |
| |
| 02 Mar 2013 | #4 |
| | Hello, Have you looked into AppLocker? |
| My System Specs |
| 02 Mar 2013 | #5 |
| | I don't see a GPO option that will help you to hide the clutter of the start menu. Would a logon script work? |
| My System Specs |
| 03 Mar 2013 | #6 |
| | I'm not familiar with Applocker. Looking at the policy link it looks like the programs still show to the user account but can't be executed. I think my manager just wants them not to see them at all One thing I was thinking. In simple terms they want to copy the program groups away from the Programdata\start menu programs to account called "Admin" (roaming\appdata\start menu...). As discussed when the script executes there is no admin profile because nobody has yet logged on. I just wondered what would happen if I simply created a directory of that name in the script - would it screw up the profile for the Admin account when somebody does log in |
| My System Specs |
| 03 Mar 2013 | #7 |
| | You mentioned that the local administrator account has logged on and you want to run a script that will unclutter the start menu for regular users. If the local administrator account has logged on, then the default profile and all users profile has been created. Can you use your VBS script to remove the shortcuts of interest from the default and all users user profiles? Keep a copy of the shortcuts on a file server. A logon script adds these shortcuts to the admin account the first time someone logs on as admin. Or, look at using the runas command (assuming that the admin account has already been created and that it has a password assigned to it). If you run something as that admin, then profile can be created as if someone actually logged on as admin thru the standard interface. Then you can move the shortcuts of interest to that admin account. |
| My System Specs |
| 05 Mar 2013 | #8 |
| | Been doing some more testing. During my build process NO profiles exist because nobody has yet logged on. I had thought that if I did a Runas/user="Admin" that this would have the effect of logging in and creating a profile. What I found that it created a profile called TEMP which duly deleted itself after the script finished. The script is simply moving the shortcuts/group from public to Admin folder so that the Admin account can still see all the options but the public user doesn't have those options so any new user account logging on doesn't see them |
| My System Specs |
| 05 Mar 2013 | #9 |
| | If you can stand the risk of having the admin credentials in a script, then maybe the first standard user to log on can run a one time script that uses runas to create the admin profile and move the shortcuts. |
| My System Specs |
| 07 Mar 2013 | #10 |
| | Well, what I did in the end was to set non-admin GPO to not show common start menu program, so user level account only see the icons in their own start menu programs under appdata. Then set a logon script to run a little vbs to copy the required folders and shortcuts into their local directory. This appears to work ok - thanks |
| My System Specs |
 |
Local group policy start menu programs problems?
| Thread Tools | |
| Similar help and support threads for: Local group policy start menu programs | ||||
| Thread | Forum | |||
| How to copy local Group Policy? | System Security | |||
| Local Group Policy Editor Question | General Discussion | |||
| Editing Local Group Policy | General Discussion | |||
| local group policy editor | General Discussion | |||
| Group Policy Editor or Local Security Policy | System Security | |||
All times are GMT -5. The time now is 03:02 PM.
