I Need To Make A Change With My IT Support! Call (225) 706-8414

Customizing the Start Menu in Windows 2008

You want to configure the Start Menu on a Windows 2008 system to only show certain options to a user.

Solution:

You have a few options, all based on GPO’s doing Folder Redirection. (Of course, ensure the GPO only applies to that specific server. This can be done by setting the GPO Scope Security Filtering to only include the server name in question and nothing else.)

You can create a new Start Menu Folder Redirection GPO where each user has his/her own Start Menu:

  1. Open the Group Policy Management Editor
  2. Create a new GPO
  3. In the Editor, go to <GPONAME>->User Configuration->Policies->Windows Settings->Folder Redirection->Start Menu
  4. In the Target tab, choose “Basic – Redirect everyone’s folder to the same location”
  5. Set the Target folder location to be “Create a folder for each user under the root path”
  6. For the Root Path, choose something logical, like SpellErrorCssClass C:StartMenu
  7. SpellErrorCssClass Be sure to set the NTFS and Share permissions logically.

The above method works, but is tedius as you will need to customize each user’s Start Menu.

A better method is to define a single Start Menu and to use Windows 2008 Access Based Enumeration to do the work for you. With Access Based Enumeration, Windows 2008 will only show directories/files in a Share that you have permission to see. This allows you to use AD groups and permissions to define what portions of a Start Menu are shown. This is a new feature.

  1. Open the Group Policy Management Editor
  2. Create a new GPO
  3. In the Editor, go to <GPONAME>->User Configuration->Policies->Windows Settings->Folder Redirection->Start Menu
  4. In the Target tab, choose “Basic – Redirect everyone’s folder to the same location”
  5. Set the Target folder location to be “Redirect to the following location”
  6. For the Root Path, choose something logical, like C:StartMenu
  7. Be sure to set the NTFS and Share permissions logically.
  8. For the Share permissions, you must use Share and Storage Manager to share a folder like C:StartMenu
  9. Open Administrative Tools->Share and Storage Management
  10. For the StartMenu Share in question, click Properties
  11. Click Advanced
  12. Click “Enable access-based enumeration”
  13. Click Ok
  14. Click the Permissions Tab
  15. Click Share Permissions
  16. Set the security to Everyone:R
  17. Click Ok
  18. Click NTFS Permissions
  19. Set the security to System:F, Domain Admins:F, Domain Users:R
  20. Click Ok
  21. Click Ok

Now we’re ready!

We want to move the default Start Menu contents (located at C:ProgramDataMicrosoftWindowsStart Menu in Windows 2008) to C:StartMenu on the server. We have to move and not copy, because if you copy then Windows 2008 will show both the default Start Menu and C:StartMenu contents. Odd but true. Generally, you want to move everything but Startup and Administrative Tools.

Now for the fun part. Organize your entries in C:StartMenu into directories (e.g., C:StartMenuMicrosoft Office Standard, C:StartMenuMicrosoft Office Pro). Now, for each entry you want to protect:

  1. Right-click the folder/file to hide/protect.
  2. Click Properties
  3. Click Advanced
  4. Click Change Permissions
  5. Deselect “Include inheritable permission…” and click Add on the permission copy question
  6. Click Ok
  7. Click Ok
  8. Click Ok. You are back to the Security tab.
  9. Click the Edit button
  10. Remove “Domain Users”
  11. Add DOMAIN_USER_GROUP:R where DOMAIN_USER_GROUP is the user group required to gain access to that Start Menu entry (e.g., site_quickbooks_users).
  12. Click Ok
  13. Click Ok
  14. All done! At this point when a user clicks the Start Menu, they should only see programs that they have permissions to.

atkb#137

 

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!