Customizing pinned shortcuts on the Taskbar for Windows Server 2008 R2

OK, this is one way. I am sure there are several others. Can anyone say convoluted…?

(This is mainly intended for use on Remote Desktop Servers.)

  1. Create a test user.
    My user is named Bob in this example.
  2. Log on as Bob and pin the shortcuts you want on the Taskbar, and remove the ones you do not want.
  3. Log off Bob and log on as an Administrator.
  4. Load the Default User registry hive:
    reg.exe load HKUDefaultUser c:UsersDefaultNTUSER.DAT
  5. Load Bob’s registry hive:
    reg.exe load HKUBob c:UsersBobNTUSER.DAT
    (Your path may be different.)
  6. Export the following key:
    HKEY_USERSBobSoftwareMicrosoftWindowsCurrentVersionExplorerTaskband:
    (reg.exe export HKEY_USERSBobSoftwareMicrosoftWindowsCurrentVersionExplorerTaskband Taskbar.reg)
  7. Edit the Taskbar.reg file:
    1. Remove the FavoritesResolve value.
    2. Change the key path from Bob to DefaultUser (this is the name in the registry path where you mounted the Default User hive). This so we can import the changes that Bob made to his Taskbar into the loaded Default User profile registry.
    3. Save and import
      The changes should now be in the Default User registry.
  8. Unload Bob’s hive and the Default User hive:
    reg.exe unload HKUBob
    reg.exe unload HKUDefaultUser
  9. Navigate to the following folder in Bob’s profile:
    <Bob’s profile root>AppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser Pinned
  10. Copy the entire contents of the folder into the same location in the Default User profile.
    (xcopy.exe “c:UsersBobAppDataRoamingMicrosoftInternet ExplorerQuick LaunchUser Pinned*.*” “c:UsersDefaultAppDataRoaming
    MicrosoftInternet ExplorerQuick Launch”
    )
  11. Run the following commands to remove the Everyone and BUILTINUsers security principals from the Server Manager and PowerShell shortcuts. These are copied into the User Pinned folder for every new profile, and the only way to prevent this (that I have found), is to prevent access to them. The Administrator still retains access through the remaining permissions on the shortcut files.
    1. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShell” /T /inheritance:d
    2. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAccessoriesWindows PowerShell” /T /remove:g *S-1-1-0 *S-1-5-32-545
    3. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager.lnk” /inheritance:d
    4. icacls.exe “%ProgramData%MicrosoftWindowsStart MenuProgramsAdministrative ToolsServer Manager.lnk” /remove:g  *S-1-1-0 *S-1-5-32-545
      NOTE: These file system security settings can be propagated with Group Policy Security Policies. A template file doing just that is attached to this post.
  12. Log on as another regular user (not Bob) and verify that the pinned programs are available.
  13. Duplicate the Default User profile to other servers if necessary.

References:

Security Policy Template File

Morgan

Leave a comment

Your email address will not be published. Required fields are marked *