Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Local group policy start menu programs


01 Mar 2013   #1

Windows 7
 
 
Local group policy start menu programs

Trying to restrict non-admin users from seeing a lot of programs under the Start Menu. Already using the GPO for non-admin users and I'm hoping there is an area I can achieve the above. So the idea is admin account sees all the programs as normal, non-admin user restricted to only seeing a few programs on the Start menu. Can I achieve this through local group policy and if so where

Thanks

My System SpecsSystem Spec
.

01 Mar 2013   #2

W7 Pro SP1 64bit
 
 

If this is for a home, then it would be simpler to move the shortcuts from all users start menu* to the admin profile(s)**. However, hiding the shortcuts by moving them or via GPO (if there is a way to do that) would not stop users from starting the program via the Windows (file) Explorer.

GPO can restrict a user from running a program. In theory, this should work no matter how the user attempts to run the forbidden program. In reality, they are ways to start some programs restricted by GPO. That is why I wondered if this is for a home - then we might be talking about adults vs. children.

*C:\ProgramData\Microsoft\Windows\Start Menu\

**C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu
My System SpecsSystem Spec
02 Mar 2013   #3

Windows 7
 
 

No this is a corporate setup. They simply want the users not to see the clutter under Start menu/Prgrams (C drive is hidden from them also)

I agree that moving the shortcuts if fine but I am deploying a Win 7 build through SCCM. During the build I run a VBscript to do the copying/moving which means at the time of running there are no account profiles other than the local administrator. Problem is they (the company) want the built in Administrator account to be disabled and then another admin account setup so although I could indeed simply copy the shortcuts from default user to administrator then they would no longer see them under the new admin account. Hence why I though the local GPO route (if it can be done !!) would be perfect
My System SpecsSystem Spec
.


02 Mar 2013   #4

Windows 7 Ultimate x64
 
 

Hello,

Have you looked into AppLocker?


Attached Thumbnails
Local group policy start menu programs-applocker.jpg  
My System SpecsSystem Spec
02 Mar 2013   #5

W7 Pro SP1 64bit
 
 

I don't see a GPO option that will help you to hide the clutter of the start menu. Would a logon script work?
My System SpecsSystem Spec
03 Mar 2013   #6

Windows 7
 
 

I'm not familiar with Applocker. Looking at the policy link it looks like the programs still show to the user account but can't be executed. I think my manager just wants them not to see them at all

One thing I was thinking. In simple terms they want to copy the program groups away from the Programdata\start menu programs to account called "Admin" (roaming\appdata\start menu...). As discussed when the script executes there is no admin profile because nobody has yet logged on. I just wondered what would happen if I simply created a directory of that name in the script - would it screw up the profile for the Admin account when somebody does log in
My System SpecsSystem Spec
03 Mar 2013   #7

W7 Pro SP1 64bit
 
 

You mentioned that the local administrator account has logged on and you want to run a script that will unclutter the start menu for regular users. If the local administrator account has logged on, then the default profile and all users profile has been created. Can you use your VBS script to remove the shortcuts of interest from the default and all users user profiles?

Keep a copy of the shortcuts on a file server.

A logon script adds these shortcuts to the admin account the first time someone logs on as admin.


Or, look at using the runas command (assuming that the admin account has already been created and that it has a password assigned to it). If you run something as that admin, then profile can be created as if someone actually logged on as admin thru the standard interface. Then you can move the shortcuts of interest to that admin account.
My System SpecsSystem Spec
05 Mar 2013   #8

Windows 7
 
 

Been doing some more testing. During my build process NO profiles exist because nobody has yet logged on. I had thought that if I did a Runas/user="Admin" that this would have the effect of logging in and creating a profile. What I found that it created a profile called TEMP which duly deleted itself after the script finished. The script is simply moving the shortcuts/group from public to Admin folder so that the Admin account can still see all the options but the public user doesn't have those options so any new user account logging on doesn't see them
My System SpecsSystem Spec
05 Mar 2013   #9

W7 Pro SP1 64bit
 
 

If you can stand the risk of having the admin credentials in a script, then maybe the first standard user to log on can run a one time script that uses runas to create the admin profile and move the shortcuts.
My System SpecsSystem Spec
07 Mar 2013   #10

Windows 7
 
 

Well, what I did in the end was to set non-admin GPO to not show common start menu program, so user level account only see the icons in their own start menu programs under appdata. Then set a logon script to run a little vbs to copy the required folders and shortcuts into their local directory. This appears to work ok - thanks
My System SpecsSystem Spec
Reply

 Local group policy start menu programs




Thread Tools



Similar help and support threads for2: Local group policy start menu programs
Thread Forum
Local Group Policy Editor - Open Tutorials
Solved local group policy editor General Discussion
How to copy local Group Policy? System Security
Can't access Local Group Policy Editor General Discussion
Editing Local Group Policy General Discussion
local group policy editor General Discussion
Group Policy Editor or Local Security Policy System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:28 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33