Lately I have been setting up a few Citrix XenApp Servers using Windows 2008 R2. I was surprised to learn that some of the things I took for granted in 2003 policy are not available in 2008 R2 and I needed to either create registry hacks or file policies. So I thought I would take some time to document some of these setup procedures.
Windows Explorer
In the left hand pane of Windows explorer I wanted to remove the Favorites, Libraries and Network folders. To do this you first need to navigate to the ShellFolder keys below and grant Full permissions to the Administrators group. You will then be able to adjust the Attributes DWORD value to the values below.
Favorites:
HKEY_CLASSES_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder
Set Full Permissions to Administrators on the ShellFolder
Change Attributes DWORD value:
-
Original: a0900100
-
New Value: a9400100
Libraries:
HKEY_CLASSES_ROOTCLSID{031E4825-7B94-4dc3-B131-E946B44C8DD5}ShellFolder
Set Full Permissions to Administrators on the ShellFolder
Change Attributes DWORD value:
-
Original: b080010d
-
New Value: b090010d
Network:
HKEY_CLASSES_ROOTCLSID{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}ShellFolder
Set Full Permissions to Administrators on the ShellFolder
Change Attributes DWORD value:
-
Original: b0040064
-
New Value: b0940064
Administrative Tools
To remove access to Administrative Tools I added the following registry settings to my Citrix Group Policy under:
User Configuration → Preferences → Windows Settings → Registry (Right-click, New, Registry Item)
Start Menu Administrative Tools:
-
General
-
Action: Replace
-
Hive: HKEY_CURRENT_USER
-
Key Path: SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
-
Value Name: StartMenuAdminTools
-
Value Type: REG_DWORD
-
Value Data: 00000000
-
Base: Hexadecimal
-
Common
-
(Select) Run in logged-on user’s security context (user policy option)
Start Menu Administrative Tools (Root level):
-
General
-
Action: Replace
-
Hive: HKEY_CURRENT_USER
-
Key Path: SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
-
Value Name: Start_AdminToolsRoot
-
Value Type: REG_DWORD
-
Value Data: 00000000
-
Base: Hexadecimal
-
Common
-
(Select) Run in logged-on user’s security context (user policy option)
Server Manager and Power Shell
When a user profile is created it creates links to the power shell and server manager and places them in the Quicktray. To remove this functionality we are going to deny permissions for normal users to these files.
Computer Configuration → Policies → Windows Settings → Security Settings → File System (Right click, Add File)
Windows Power Shell
-
Select the path below (you may need to show hidden files in your explorer preferences)
-
Remove Users from the security settings
C:ProgramDataMicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShellWindows PowerShell
Server Manager
-
Select the path below (you may need to show hidden files in your explorer preferences)
-
Remove Users from the security settings
C:ProgramDataMicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager
Thanks for posting. I just tried on Windows 2008 R2 SP1 and it didn’t work. Do you know if the values are different for SP1?
Thanks,
K
they are in the Wow6432node.
great post!