Local group policy start menu programs

Page 1 of 2 12 LastLast

  1. Posts : 8
    Windows 7
       #1

    Local group policy start menu programs


    Trying to restrict non-admin users from seeing a lot of programs under the Start Menu. Already using the GPO for non-admin users and I'm hoping there is an area I can achieve the above. So the idea is admin account sees all the programs as normal, non-admin user restricted to only seeing a few programs on the Start menu. Can I achieve this through local group policy and if so where

    Thanks
      My Computer


  2. Posts : 10,485
    W7 Pro SP1 64bit
       #2

    If this is for a home, then it would be simpler to move the shortcuts from all users start menu* to the admin profile(s)**. However, hiding the shortcuts by moving them or via GPO (if there is a way to do that) would not stop users from starting the program via the Windows (file) Explorer.

    GPO can restrict a user from running a program. In theory, this should work no matter how the user attempts to run the forbidden program. In reality, they are ways to start some programs restricted by GPO. That is why I wondered if this is for a home - then we might be talking about adults vs. children.

    *C:\ProgramData\Microsoft\Windows\Start Menu\

    **C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu
      My Computer


  3. Posts : 8
    Windows 7
    Thread Starter
       #3

    No this is a corporate setup. They simply want the users not to see the clutter under Start menu/Prgrams (C drive is hidden from them also)

    I agree that moving the shortcuts if fine but I am deploying a Win 7 build through SCCM. During the build I run a VBscript to do the copying/moving which means at the time of running there are no account profiles other than the local administrator. Problem is they (the company) want the built in Administrator account to be disabled and then another admin account setup so although I could indeed simply copy the shortcuts from default user to administrator then they would no longer see them under the new admin account. Hence why I though the local GPO route (if it can be done !!) would be perfect
      My Computer


  4. Posts : 186
    Windows 7 Ultimate x64
       #4

    Hello,

    Have you looked into AppLocker?
    Attached Thumbnails Attached Thumbnails Local group policy start menu programs-applocker.jpg  
      My Computer


  5. Posts : 10,485
    W7 Pro SP1 64bit
       #5

    I don't see a GPO option that will help you to hide the clutter of the start menu. Would a logon script work?
      My Computer


  6. Posts : 8
    Windows 7
    Thread Starter
       #6

    I'm not familiar with Applocker. Looking at the policy link it looks like the programs still show to the user account but can't be executed. I think my manager just wants them not to see them at all

    One thing I was thinking. In simple terms they want to copy the program groups away from the Programdata\start menu programs to account called "Admin" (roaming\appdata\start menu...). As discussed when the script executes there is no admin profile because nobody has yet logged on. I just wondered what would happen if I simply created a directory of that name in the script - would it screw up the profile for the Admin account when somebody does log in
      My Computer


  7. Posts : 10,485
    W7 Pro SP1 64bit
       #7

    You mentioned that the local administrator account has logged on and you want to run a script that will unclutter the start menu for regular users. If the local administrator account has logged on, then the default profile and all users profile has been created. Can you use your VBS script to remove the shortcuts of interest from the default and all users user profiles?

    Keep a copy of the shortcuts on a file server.

    A logon script adds these shortcuts to the admin account the first time someone logs on as admin.


    Or, look at using the runas command (assuming that the admin account has already been created and that it has a password assigned to it). If you run something as that admin, then profile can be created as if someone actually logged on as admin thru the standard interface. Then you can move the shortcuts of interest to that admin account.
      My Computer


  8. Posts : 8
    Windows 7
    Thread Starter
       #8

    Been doing some more testing. During my build process NO profiles exist because nobody has yet logged on. I had thought that if I did a Runas/user="Admin" that this would have the effect of logging in and creating a profile. What I found that it created a profile called TEMP which duly deleted itself after the script finished. The script is simply moving the shortcuts/group from public to Admin folder so that the Admin account can still see all the options but the public user doesn't have those options so any new user account logging on doesn't see them
      My Computer


  9. Posts : 10,485
    W7 Pro SP1 64bit
       #9

    If you can stand the risk of having the admin credentials in a script, then maybe the first standard user to log on can run a one time script that uses runas to create the admin profile and move the shortcuts.
      My Computer


  10. Posts : 8
    Windows 7
    Thread Starter
       #10

    Well, what I did in the end was to set non-admin GPO to not show common start menu program, so user level account only see the icons in their own start menu programs under appdata. Then set a logon script to run a little vbs to copy the required folders and shortcuts into their local directory. This appears to work ok - thanks
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:14.
Find Us