I love a good challenge. Recently I read the following article from Microsoft about how to tackle the title of this blog. This hack didn’t actually stop the users from accessing the cpl as clever users will just use rundll32 to get around the limitation. This also knocked other “show the following control panel items” policies out.
This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.
The culprit can be seen below:
This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.
Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.
To remove this folder view for all users, its time to hack the registry!
The Class ID belonging to this start menu item can be found here:
HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
This dastardly key also has a 32bit relation that can be found here:
HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.
So below you will find the steps to take to remove this item:
- Take a backup of this key, you’ll thank me if you get it wrong!
- Browse down to HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
- right click this key, choose permissions, click advanced then owner
- Select administrators from the list, then choose “Apply”.
- browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
- Click “apply”, then “ok”.
- Repeat step 2 to 6 on HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
- Tada! go grab a coffee to celebrate your domination over the windows operating system.
And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.
PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.