RDS – Custom Start Menu (Remove Administrative Tools)

KB ID 0001207 

Problem 

Why is it so difficult to remove Administrative tools! The one folder you might not want your users having access to is on everyones start menu by default? I’ve seen posts saying to change the permissions so users can’t run the snap-in’s in that folder, and other posts that suggest removing it from the ‘all users’ profile, and yet more posts that say remove it in preferences with a post Vista start menu. NONE OF THAT WORKED?

This solution is for Windows Server 2012 R2, if you’re running an earlier version then I invite you to post a decent solution a the bottom of the page.

What I did was create a Custom Start screen, then exported that to XML, then configured all my users to use that start screen.

Solution

Log in as an administrator, and tailor the start screen to how you would like if for your users.

2012 Custom Start Screen

Then open a PowerShell session and export the settings to an XML file. I’ve already setup a network share on the RDS server itself to store the XML file in, (grant users ‘read‘ rights to the share).

Export-StartLayout -Path \\{server-name}\{share=name}\{file-name.xml} -As xml

2012 Export Custom Start Screen to XML

Now on the GPO linked to your RDS Server(s) add the following;

Computer Configuration > Administrative Templates > Start Menu and Taskbar > Start Screen Layout

2012 GPO Custom Start Screen RDS

Enable the policy, and point it to the file you exported above. Then either force a policy refresh or wait a while for the new policy to take effect.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

3 Comments

  1. Nice concise article. Especially valued the start screen export and import XML . It’s really hard to believe that we don’t have an out of the box GPO driven method of doing this. Thinking back to locking down RDS servers for Citrix all the way back to 2000, you always ended up stripping out start menu items from the default users profile or all users profiles. Here were are at server 2016, still no out of the box, or technet guidance as clean cut as your solution. Thanks again.

    Post a Reply
  2. It is faster and easier to just change the NTFS permission on the Administrative Tools folder to only allow Domain admins.

    Post a Reply

Leave a Reply to Nicholas Ciero Cancel reply

Your email address will not be published. Required fields are marked *