You have a Microsoft Windows Server 2008 R2 Server that is used as a Remote Desktop Services server.  You have a number of users that are going to use this RDS server to run a software suite. Some of these users are known for meddling in the systems and others for deleting files and folders at random. Securing the system will take a lot of work and we’ll start with this simple task.



As users connect they are presented with a very server like desktop, including an icon for the Server Manager as well as Powershell icons. You being the administrator don’t want the users to see these icons, let alone use them.



This problem requires you to have a basic understanding of the GPMC (Group Policy Management Console). Please be aware that if you make a GPO you cannot simply delete it to return to the previous state, you must undo what the GPO did before it’s deleted.

  1. On the Domain Controller server open the GPMC by going to Start > Administrative Tools > Group Policy Management.
  2. On the left hand side select the OU that your RDS server is in.
  3. Right click on it and select: Create a GPO in this domain and link it here.
  4. Give it a descriptive name such as “Disable server icons”.
  5. Right click the policy Disable server icons and select Edit.
  6. A new windows will pop up. You may want to maximize it.
  7. On the left hand side navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > File System.
  8. GPMC Displaying the folder File System
  9. On the right hand side Right click and select: Add file:
  10. Add the following files:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk
  11. When the server displays the security settings make sure you REMOVE Users from the list. Administrators and System should be the only one with NTFS rights.
  12. On the RDS server open a command prompt and type gpupdate /force and login with a user to test this out.

Now your wonderful users should be able to log on without seeing those awesome icons. The next step would be to remove Administrative Tools from the Start menu. I will cover this in another topic.

Published by Wouter Makkinje

I am a 30 Year old IT Consultant from Kalmar Sweden.