Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment.
I love a good challenge. Recently I read the following article from Microsoft about how to tackle the title of this blog. This hack didn’t actually stop the users from accessing the cpl as clever users will just use rundll32 to get around the limitation. This also knocked other “show the following control panel items” policies out.
This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.
The culprit can be seen below:
This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.
Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.
To remove this folder view for all users, its time to hack the registry!
The Class ID belonging to this start menu item can be found here:
HKEY_CLASSES_ROOT\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
This dastardly key also has a 32bit relation that can be found here:
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.
So below you will find the steps to take to remove this item:
- Take a backup of this key, you’ll thank me if you get it wrong!
- Browse down to HKEY_CLASSES_ROOT\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
- right click this key, choose permissions, click advanced then owner
- Select administrators from the list, then choose “Apply”.
- browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
- Click “apply”, then “ok”.
- Repeat step 2 to 6 on HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
- Tada! go grab a coffee to celebrate your domination over the windows operating system.
And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.
PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.
Using my Citrix Edgesight Powershell module with Active directory OU’s.
I received a request on twitter late last night and it was an interesting one. The person in question wanted to use my current edgesight module to import users from active directory into the static Citrix Edgesight groups, but instead of group membership in Active Directory, they wanted to use Active Directory Organisational Units.
All the information on how to use the module is included in the previous post, so I wont re-invent the wheel. Have a read of the previous post for any caveats or pre-emptive misunderstandings.
Below are two code snippets to use OU membership with either the Quest or Microsoft cmdlets for active directory, just modify the OU Path below, I’ve tried to include a long example to ensure there’s no confusion.
Quest Active directory Snap-in:
#Quest Active directory module
import-module "C:\citrix.edgesight.cmdlets.psm1"
add-pssnapin Quest.ActiveRoles.ADManagement
$ADOU='domain.domain.com/Country/Users/advanced/Helpdesk'
$esgroupid=20
#clear the group before import
clear-esgroupmembers -groupid $esgroupid
#get users from group, then import them into edgesight
foreach ($user in get-QADUser -SearchRoot $ADOU -SizeLimit 0){
$prid = get-ESUserPrid $user.logonname
if ($prid -NE $null){
Add-ESGroupMember -groupid $ESgroupid -prid $prid
}
}#end For
Microsoft Active directory module:
#Microsoft active directory module
import-module "C:\citrix.edgesight.cmdlets.psm1"
import-module activedirectory
$ADOU="OU=helpdesk,OU=advanced,OU=Users,OU=Country,DC=domain,DC=domain,DC=com"
$esgroupid=20
#clear the group before import
clear-esgroupmembers -groupid $esgroupid
#get users from group, then import them into edgesight
foreach ($user in get-ADUser -filter * -searchbase $ADOU){
$prid = get-ESUserPrid $user.samaccountname
if ($prid -NE $null){
Add-ESGroupMember -groupid $ESgroupid -prid $prid
}
}#end For
Pulling detailed thin client reports from Igel’s UMS with Powershell.
I needed a full and detailed list recently of all Igel thin client devices and was disapointed with Igels built in views and reporting options. As with my previous Powershell and SQL scripts I set about getting into the Igel database and pulling the information I required.
This script is fairly “Niché” so I’ve not included my usual list of options and explanations, feel free to request more detail if needed.
This script will pull alot of useful information of the device, from mac address to firmware id and return a full table of contents from your Universal Management Server. as below:
This script only supports trusted connections, so the account you run the script as needs access to the database. If you need to configure non trusted connections, have a look at my Edgesight or SQL backup scripts for inspiration.
The only options you need to configure are the SQL servername and database name, these can be found at the start of the script as below:
The script itself can be found after the jump:
Removing Screen Resolution and Personalize shell extensions from a users desktop session.
While working in a XenApp 6 proof of concept I came accross this little feature and decided its time to share it!
When a user right clicks on the desktop, by default they get access to commands to manipulate the appearance of the desktop. As I restricted access to the control panel, the two options below were generating errors in the users sessions:
The error generated is your standard group policy restrictions error message as below:
While digging into this further I found the following registry key that corresponds to the two prompts we see above.
HKEY_CLASSES_ROOT\DesktopBackground
Under this key, you can see both entries that appear on the shell extension menu;
The problem with this key is, its owned by the TrustedInstaller account, and by default administrators cannot modify it. To modify this key and hide this menu from users (but maintain it for administators) please follow the below steps.
Please note, any hotfixes from microsoft may remove your hard work, so be prepared to redo this work if Microsoft decide to work with this key in future.
- Take a backup of this key, you’ll thank me if you get it wrong!
- Browse down to desktopbackground\shell\display
- right click this key, choose permissions, click advanced then owner
- Select administrators from the list, then choose “Apply”.
- browse to the permissions tab and remove the “users” group.
- Click “apply”, then “ok”.
- The “screen resolution” menu should now disappear from any current and future sessions.
- Repeat step 2 to 8 on DesktopBackground\Shell\Personalize.
- Tada! go grab a coffee to celebrate your domination over the windows operating system.
And that’s it, you should now have a lean, clean and error free shell extension menu when right clicking on the desktop.
Pedantic, begrudging scripters note:
Now if you’re a pedantic scripting so and so like me, you wont be satisfied to leave this job as a manual task. And despite spending more time than I’d like to admit, I couldn’t perform this work in powershell despite what I tried. Luckily the task was extremely easy to do with Helge Klein‘s setacl program.
Below is an example of a script to achieve this:
setacl.exe -on HKLM\software\classes\DesktopBackground -ot reg -actn setprot -op dacl:p_nc;sacl:p_nc -rec yes
SetACL.exe -on HKLM\software\classes\DesktopBackground -ot reg -actn ace -ace “n:system;p:read” -ace “n:administrators;p:read” -actn clear -clr “dacl,sacl” -actn rstchldrn -rst “dacl,sacl” -rec yes
The curious case of missing file shares on a Microsoft File Server Cluster.
I had a very unusual issue recently where, after a fail over one of my file cluster resources didn’t publish all shares to the users. Some shares did come up, but many of the shares were missing resulting in users being locked out of their network drives.
I immediately jumped to the registry HKEY_LOCAL_MACHINE\Cluster\Resources and found the resource by guid of my misbehaving file cluster. I could see all the shares missing were still published as resources as below:
Upon reviewing the event logs, each time the cluster was failed over, each missing share was logging the following event:
Log Name: System Source: Microsoft-Windows-FailoverClustering Date: xx/xx/xxxx 08:00:27 Event ID: 1068 Task Category: File Server Resource Level: Warning Keywords: User: SYSTEM Computer: XXXXXXXXXXX.Domain.com Description: Cluster file share resource 'File Server FileServer' cannot be brought online. Creation of file share 'Vedeni' (scoped to network name Fileserver) failed due to error '5'. This operation will be automatically retried.
Upon reviewing the share permissions, an over zealous administrator had trimmed the NTFS permissions, removing the local system account. Upon each cluster resource coming online, the cluster uses the local system account to enumerate the shares and present them. Remove this account and your shares wont come online!
This account doesnt need to be on every folder, just each folder a share is based on. E.g. if you share d:\share\finance as \\server\finance, only the finance folder needs access granted to the system account.
To resolve, configure the system account to have access to the folder on “this folder only” then restart the file server resource. The resource will come on-line and your shares will be available again!
Profile:
Recent Comments