GPO to disable server manager icon does not restrict access for users

24,284

Solution 1

If the users have already logged in, those shortcuts will still appear to them. You need to configure this before they log in or delete their local profile. New users logging in should not see these icons.

This will not restrict access to these executables though. If you want to keep the Start Menu and Taskbar tidy, this is fine. If you want to limit what they can launch, you should use a software restriction policy or applocker update through GPO to whitelist only what you want running on that machine.

Solution 2

Do this to simplify your life:

Go the the GPO in question, edit it and go to the following:

User COnfiguration/policies/Administrative Templates/system

Enable: Don't run specified Windows Applications

In that other also click on Show disallowed apps, and add the following:

ServerManager.exe
cmd.exe
powershell.exe

Apply and log off and on depending on the replication of server may take up to an hour to replicate, if that fails do a GPupdate /force.

This will prevent users from accessing the server manager, remember that the Administrator should not be part of the GPO you are setting up.

Share:
24,284

Related videos on Youtube

Kernel Panic
Author by

Kernel Panic

Updated on September 18, 2022

Comments

  • Kernel Panic
    Kernel Panic over 1 year

    I have two servers in a domain, running on VMWare. WS2K8R2 domain controller and Server 2012 RD Session host. I want to disable/remove the server manager and powershell icons from the taskbar, and make them inaccessible to users.

    I have configure group policy Computer Configuration > Policies > Windows Settings > Security Settings > File System and made these entries:

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk

    Removed Creator Owner and Users from the permissions and run gpupdate.

    Users still have those icons available and clicking on them opens up those applications. There are additional GPO's that are active and do work.

    Is there something else I need to check?

    Thank you

  • Kernel Panic
    Kernel Panic about 11 years
    That was it. I was testing the GPO results with the same user account and had already logged in. Much obliged.