dcsimg

Getting control: Remove settings from menu start by policy

By ServerWatch Staff (Send Email)
Posted Dec 17, 2000


B. Teunis

Abstract:

In the old fashioned NT Workstation environment it was easy to disable settings in the menu start by the default policy template. When you install IE 5.x there are 2 items added to settings, which you can't control from the default policy template. You have to develop your own develop your own policy template. In this article it is shown how you can do that. Why? In some cases there is a need for a zero administration client or just an idiot-proof client. What we saw is that in many cases where there is just one application running (i.e. a call center) there is a higher need for an idiot-proof client.

What do we mean?

In the old fashioned NT Workstation environment it was easy to disable settings in the menu start by the default policy template. When you install IE 5.x there are 2 items added to settings, which you can't control from the default policy template. You have to develop your own develop your own policy template. In this article it is shown how you can do that. Why? In some cases there is a need for a zero administration client or just an idiot-proof client. What we saw is that in many cases where there is just one application running (i.e. a call center) there is a higher need for an idiot-proof client.

Figure1: what we mean, sorry it is in dutch

Which registry keys are involved?

For the active desktop, the following registry key is involved
Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoActiveDesktop
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable restriction, 1 = enable restriction)

For FolderOptions, the following registry key is involved
Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoFolderOptions
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = show options, 1 = hide options)

How to apply this in the .adm file?

Just open the common.adm with the notepad editor and go to the Category !!shell (see example below):

CATEGORY !!Shell
CATEGORY !!Restrictions
KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

POLICY !!RemoveRun
VALUENAME "NoRun"
END POLICY

POLICY !!RemoveFolders
VALUENAME "NoSetFolders"
END POLICY

POLICY !!RemoveTaskbar
VALUENAME "NoSetTaskbar"
END POLICY

POLICY !!RemoveFind
VALUENAME "NoFind"
END POLICY

POLICY !!HideDrives
VALUENAME "NoDrives" VALUEON NUMERIC 67108863 ; low 26 bits on (1 bit per drive)
END POLICY

POLICY !!HideNetHood
VALUENAME "NoNetHood"
END POLICY

POLICY !!NoEntireNetwork
KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Network
VALUENAME "NoEntireNetwork"
END POLICY

POLICY !!NoWorkgroupContents
KEYNAME Software\Microsoft\Windows\CurrentVersion\Policies\Network
VALUENAME "NoWorkgroupContents" END POLICY

POLICY !!HideDesktop
VALUENAME "NoDesktop"
END POLICY

POLICY !!DisableClose
VALUENAME "NoClose"
END POLICY

POLICY !!NoSaveSettings
VALUENAME "NoSaveSettings"
END POLICY

END CATEGORY
END CATEGORY ; Shell

Add to this section the following Policies

Policy !!DisableActiveDesktop
Valuename "NoActiveDesktop"
End Policy

Policy !!NoFolderOptions
Valuename "NoFolderOptions"
End Policy

The best is to add this just below the RemoveRun policy.After that is done go to the strings sections and add the following strings (this is needed to build up the menu and GUI):

DisableActiveDesktop="Remove the active desktop from settings"
NoFolderOptions="Remove folder options from settings"

After this save the common.adm under it's own name or under a new name.

How it looks?

When opening the policy editor with the common.adm as policy template you will see that there are two items added to the shell\restrictions

figure2 : this is how it should look

You can use these items now to build up your domain policy

Good luck

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.