Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment.

I love a good challenge. Recently I read the following article from Microsoft about how to tackle the title of this blog. This hack didn’t actually stop the users from accessing the cpl as clever users will just use rundll32 to get around the limitation. This also knocked other “show the following control panel items” policies out.

This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.

The culprit can be seen below:

This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.

Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.

To remove this folder view for all users, its time to hack the registry!

The Class ID belonging to this start menu item can be found here:

HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}

This dastardly key also has a 32bit relation that can be found here:

HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}

As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.

So below you will find the steps to take to remove this item:

  1. Take a backup of this key, you’ll thank me if you get it wrong!
  2. Browse down to HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
  3. right click this key, choose permissions, click advanced then owner
  4. Select administrators from the list, then choose “Apply”.
  5. browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
  6. Click “apply”, then “ok”.
  7. Repeat step 2 to 6 on HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
  8. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.

PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.

[sourcecode language=”Powershell”]

## #############################################################################
## Restrict certain Explorer items via registry key.
## #############################################################################
if (!(get-psdrive hkcr -ea 0)){New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | out-null}

function get-elevatedprivileges{
$definition = @"
using System;
using System.Runtime.InteropServices;

namespace Win32Api
{

public class NtDll
{
[DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
}
}
"@
Add-Type -TypeDefinition $definition -PassThru | out-null

$bEnabled = $false

# Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
}

function take-ownership{
param(
[Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
[string]$regkey)
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($regkey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")

#taking ownership first
$key.SetAccessControl($acl)

#my bit – give admin full access
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators","FullControl","allow")
$acl.addaccessrule($rule)
$key.SetAccessControl($acl)
#end bit

}#end ownership function.

function remove-useracl{
param(
[Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
[string]$regkey)
write-host "$regkey"
#remove inheritance
$acl = Get-Acl $regkey
$acl.SetAccessRuleProtection($true, $true)
set-acl $regkey -aclobject $acl

#Remove users
$acl = Get-Acl $regkey
foreach ($rule in $acl.access){if ($rule.identityreference -eq "BUILTINUsers"){$acl.RemoveAccessRuleSpecific($rule)}}
set-acl $regkey -AclObject $acl
}#end acl function.

#define keys to be restricted
$keys=@("CLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}", # printers and devices
"Wow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}" # 32bit Printers and devices
)

#elevate priviledges

get-elevatedprivileges

#restrict each key
foreach ($key in $keys){
if (test-path "hkcr:$key"){
take-ownership -regkey $key
remove-useracl -regkey "hkcr:$key"
}
}
[/sourcecode]

Related Posts

New Module: Creating an RDP file password with Pow... Here's something that is surprisingly tricky to automate in this day and age. Creating a password and storing it in an RDP file. I'm not here to debat...
Dealing with multi numbered versions in powershell... So here's a quick little blog about something i discovered in powershell while googling today. Lots of vendors like to use version numbers includin...
Accurately checking the Citrix PVS “cache in... Citrix Provisioning services "Cache in RAM, overflow to disk", even with it's challenges is something I've always felt was a great idea, hell, I fores...

One Comment About “Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment.

  1. Pingback: Replacing Windows Devices and Printers with RES Workspace Manager PowerPrint « AndrewMorgan.ie

Leave a Reply