While working in a XenApp 6 proof of concept I came accross this little feature and decided its time to share it!
When a user right clicks on the desktop, by default they get access to commands to manipulate the appearance of the desktop. As I restricted access to the control panel, the two options below were generating errors in the users sessions:
The error generated is your standard group policy restrictions error message as below:
While digging into this further I found the following registry key that corresponds to the two prompts we see above.
Under this key, you can see both entries that appear on the shell extension menu;
The problem with this key is, its owned by the TrustedInstaller account, and by default administrators cannot modify it. To modify this key and hide this menu from users (but maintain it for administators) please follow the below steps.
Please note, any hotfixes from microsoft may remove your hard work, so be prepared to redo this work if Microsoft decide to work with this key in future.
- Take a backup of this key, you’ll thank me if you get it wrong!
- Browse down to desktopbackgroundshelldisplay
- right click this key, choose permissions, click advanced then owner
- Select administrators from the list, then choose “Apply”.
- browse to the permissions tab and remove the “users” group.
- Click “apply”, then “ok”.
- The “screen resolution” menu should now disappear from any current and future sessions.
- Repeat step 2 to 8 on DesktopBackgroundShellPersonalize.
- Tada! go grab a coffee to celebrate your domination over the windows operating system.
And that’s it, you should now have a lean, clean and error free shell extension menu when right clicking on the desktop.
Pedantic, begrudging scripters note:
Now if you’re a pedantic scripting so and so like me, you wont be satisfied to leave this job as a manual task. And despite spending more time than I’d like to admit, I couldn’t perform this work in powershell despite what I tried. Luckily the task was extremely easy to do with Helge Klein‘s setacl program.
Below is an example of a script to achieve this:
setacl.exe -on HKLMsoftwareclassesDesktopBackground -ot reg -actn setprot -op dacl:p_nc;sacl:p_nc -rec yes
SetACL.exe -on HKLMsoftwareclassesDesktopBackground -ot reg -actn ace -ace “n:system;p:read” -ace “n:administrators;p:read” -actn clear -clr “dacl,sacl” -actn rstchldrn -rst “dacl,sacl” -rec yes