GPO for removing icons

Discussion in 'Windows Server Systems' started by fimchick, Jul 6, 2005.

  1. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    Anyone have any experience removing specific icons from the Start Menu?

    I'm specifically interested in removing Outlook Express, Messenger, Movie Maker and Games.

    Gracias
     
  2. Blue Jack

    Blue Jack OSNN Addict

    Messages:
    103
    If I am understanding the question correctly, just right click on the icon, and there will be an option to "remove from list".

    Or, if you right click on the start button, go to properties, and on the general tab, there is a button to clear list.
     
  3. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    No, I'm talking about removing them from via Group Policy on my Domain.

    Thanks for the suggestion though =]
     
  4. celticfan11

    celticfan11 Moderator

    Messages:
    744
    Location:
    Vernon, CT
    heh i did this but i dont remember how :). somewhere in the GP list of restrictions.
     
  5. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I could be wrong on this, but I am not sure if that is possible. I know you can restrict certain "Windows" type Start Menu options, like My Documents, Favorites, etc.

    If you want to remove icons like you list, that are pretty much dependant (sp?) on the items being installed, my best recommendation would be to creat a user profile template and push it out, or make it Mandatory Profiles. For those specific icons, I believe that is the only way. I did consult where it would be listed...

    Under User Configuration, Administrative Templates, Start Menu and Task Bar, and I didn't see anything at quick glance. However, I am pretty tired :eek:
     
    fimchick likes this.
  6. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    Hmm, ok thanks :)
     
  7. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Did that make sense, do you understand how a Mandatory profile would allow you to do this?

    Basically what you would have to do (and again I am just making sure you know, not trying to insult your intelligence incase you already do know) is login to any machine on the domain. Create a profile the way you want it, such as removing..

    "I'm specifically interested in removing Outlook Express, Messenger, Movie Maker and Games"

    Once you have done that, logoff from that user.

    Next, log back into that SAME machine with a different user account than the one you just modified but make sure this account has administrative access. Login, navigate to the Documents and Settings folder of the user that you just modified, and ensure that you can view hidden files and folders. Rename "ntuser.dat", to "ntuser.man". This forces the profile to become mandatory, and can't be done while you are logged in with it. Next, go to Start-Control Panel-System (or right click on My Computer, select Properties), then click on the Advanced Tab. Under User Profiles, click Settings. Select, from the list, the profile you just setup the way you want it. Once you do that, click copy to. Copy this to your server. Make sure to use the FULL UNC path, not D:\profiles. This goes without saying if you are using a workstation, but I made this mistake before where I created the profiles on the server and didn't use the path at first, oops! :)

    Also, ensure that you are sharing out the folder that stores the profiles, and that the Everyone Group has Read Permissions. Read is the default Permissions for the Everyone Group in Win2k3 Server, but it is good to verify.

    Once the profile is copied, you can go to the server, Active Directory Users and Computers, select each user and specify their profile location under the profile tab. Let's take a step back for a moment...

    Since it sounds like you want to force the same profile for everyone, I would suggest creating a structure like this...

    \\SERVER01\profiles\mandatory

    this way you can keep the template for your mandatory profile in that folder, and gives you the option to later create %username% profiles in the \\SERVER01\profiles\ share if you see fit.

    So you would go and select all users at the same time, (to save you a lot of time, depending on user count), click Action, Properties. The Profile tab is accessible through this method for multiple users. Under profile path, you would put \\SERVER01\profiles\mandatory

    Now, what that does, is next time they login, that will point them to the mandatory profile that you have setup.

    My mind is a little scattered today, but I believe that should do it. Please, anyone feel free to chime in, just incase there is something I missed, or if anyone else has a question.

    Also, if you already knew this, I wasn't trying to imply that you didn't :) I just wanted to make sure you were satisfied with the solution I suggested.
     
  8. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    Awesome! This sounds like it may be just what I'm looking for. I'll give it a try and see how it works out. Thanks!
     
  9. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    No problem, good luck and feel free to post back if you would like some help.
     
  10. Blue Jack

    Blue Jack OSNN Addict

    Messages:
    103
    Sorry, I did misunderstsand.

    OKies, the way I did it:

    Group policy, admin templates, system: "don't run specified windows applications".

    To test, I entered msimn.exe for outlook express. After it failed to open, it asks you if you want to remove the icon, hit yes.

    Repeat process for moviemaker, games....

    Moviemaker has its own policy, you can probably disable it from there.
     
  11. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    You could do that as well, but IMO that might be flawed. My reason being he didn't say he wants to block access to the program, just remove the icon. And, if some creative person was really sneaky, they could rename the .exe and it would be able to run after some careful registry editing. Good info though!