Customizing pinned shortcuts on the Taskbar for Windows Server 2008 R2

OK, this is one way. I am sure there are several others. Can anyone say convoluted…?

(This is mainly intended for use on Remote Desktop Servers.)

  1. Create a test user.
    My user is named Bob in this example.
  2. Log on as Bob and pin the shortcuts you want on the Taskbar, and remove the ones you do not want.
  3. Log off Bob and log on as an Administrator.
  4. Load the Default User registry hive:
    reg.exe load HKUDefaultUser c:UsersDefaultNTUSER.DAT
  5. Load Bob’s registry hive:
    reg.exe load HKUBob c:UsersBobNTUSER.DAT
    (Your path may be different.)
  6. Export the following key:
    (reg.exe export HKEY_USERSBobSoftwareMicrosoftWindowsCurrentVersionExplorerTaskband Taskbar.reg)
  7. Edit the Taskbar.reg file:
    1. Remove the FavoritesResolve value.
    2. Change the key path from Bob to DefaultUser (this is the name in the registry path where you mounted the Default User hive). This so we can import the changes that Bob made to his Taskbar into the loaded Default User profile registry.
    3. Save and import
      The changes should now be in the Default User registry.
  8. Unload Bob’s hive and the Default User hive:
    reg.exe unload HKUBob
    reg.exe unload HKUDefaultUser
  9. Navigate to the following folder in Bob’s profile:
    <Bob’s profile root>AppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser Pinned
  10. Copy the entire contents of the folder into the same location in the Default User profile.
    (xcopy.exe “c:UsersBobAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser Pinned*.*” “c:UsersDefaultAppDataRoaming
    MicrosoftInternet ExplorerQuick Launch”
  11. Run the following commands to remove the Everyone and BUILTINUsers security principals from the Server Manager and PowerShell shortcuts. These are copied into the User Pinned folder for every new profile, and the only way to prevent this (that I have found), is to prevent access to them. The Administrator still retains access through the remaining permissions on the shortcut files.
    1. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShell” /T /inheritance:d
    2. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShell” /T /remove:g *S-1-1-0 *S-1-5-32-545
    3. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager.lnk” /inheritance:d
    4. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager.lnk” /remove:g  *S-1-1-0 *S-1-5-32-545
      NOTE: These file system security settings can be propagated with Group Policy Security Policies. A template file doing just that is attached to this post.
  12. Log on as another regular user (not Bob) and verify that the pinned programs are available.
  13. Duplicate the Default User profile to other servers if necessary.


Security Policy Template File


Automatic Updates Client command line parameters

The Automatic Updates Client Utility (wuauclt.exe) supports a few command line parameters. Some of them are documented, others not. Here are the ones I have found:

Parameter Explanation
/detectnow Run a detection cycle
/a /resetauthorization Resets the WSUS cookie. (If used together with /detectnow; /resetauthorization must be entered before /detectnow.)
/r /ReportNow Sends all queued reporting events to the server asynchronously.
/ShowSettingsDialog Display the Windows Update settings dialogue
/ShowWU Open the Windows Update Control Panel Applet
/ShowWindowsUpdate Open the Windows Update Control Panel Applet
/ShowWUAutoScan Open Windows Update Control Panel Applet and scan for updates
/ShowFeaturedUpdates Opens the Features Updates list
/ShowOptions Opens the Windows Updates Settings window
/ShowFeaturedOptInDialog Opens the OptIn dialogue for Featured Updates
/DemoUI Display Windows Update notification in tray

More info:

One thing to be aware of when it comes to wuauclt.exe is that it has no desire or need whatsoever to inform you whether any of the parameters you submitted actually worked, or were even vaild! No matter what you supply as a parameter to wuauclt.exe you will get absolutely nothing back. So check your typing. You have been warned.

Some Windows Server 2008 R2 Failover Cluster Notes

  • You should format you shared disks with NTFS before you form you cluster. If not the disks will not be eligible as witness disks. (NTFS is a requirement for a disk witness.) Do not assign a drive letter or mount point to your witness disk. (Disks used e.g. for a clustered file server needs a drive letter assigned. Do this through Failover Cluster Manager.)
  • If you want to run, say, a clustered file server, the corresponding role must be installed on the nodes of the cluster. This is true for all built-in roles.
  • To be able to add a share to a clustered file server in Failover Cluster Manager; the Remote Volume Management firewall exception must be enabled on all nodes. To enable this exception from the command line:
    netsh advfirewall firewall set rule group=”Remote Volume Managmenet” new enable=yes
  • To move the default cluster group (called Cluster Group by default) with PowerShell:
    Move-ClusterGroup –Name “Cluster Group” –Node <name of destination node>
  • To see the owner of the default cluster group with PowerShell (the only way you can actually see that information, to my knowledge (except with cluster.exe, of course)):
    Get-ClusterGroup “Cluster Group”

Happy clustering!