Customizing or locking down a new server for Remote Desktop Services in a Server 2012 environment can be quite a time consuming and daunting task. Countless hours will be spent setting up Group Policies, testing them, and deploying them. But far worse than that, you will waste massive amounts of time researching for jacked up ways to do simple things, such as unpinning items from the Taskbar and customizing the Start Screen.
In the past, I had already configured a company wide Group Policy for our old 2003 Terminal Server environment and it was simple and easy. No guesswork, no crazy workarounds, shit just worked. The Group Policies covered almost every scenario or task needed to lock down a server but unfortunately, that is not the case any more.
It seems Microsoft has made the process of doing pretty much anything ridiculous and overcomplicated. As a side rant, we (the world) desperetely need a good open source solution for a thin client type environment with something that mimicks Group Policy. I know I’m not the only person out there that would love to give Microsoft the old stink finger once and for all! I for one am tired of sitting and watching companies succumb to the endless money pit that is Microsoft licensing. Where you at Linux Devs?
Anyhow, I decided to write this script for a lot of shortcomings I’ve encountered along the way. One of which that I want to gripe about is that resorting to changing file permissions to remove shortcuts is just plain fucking retarded and redirecting all of the user’s start menus to a network share seemed like massive overkill to an already complicated scenario. On top of that, I had 6 separate Remote Desktop servers to fully setup and configure so I needed to streamline the process a bit. Suprisingly enough, my solution relies solely on batch scripting (and a little makeshift VB).
Enough chit chat, the script is extremely well documented so here are the highlights/features:
- Removal of the Server Manager and PowerShell links in the Taskbar
- Ability to backup the All User’s and Default User’s Programs directories to a zip file
- Ability to copy the All Programs Start Menu shortcuts to a list of administrator or power user profile directories
- Customized list of applications to remove from the Classic Shell Start Menu or the Windows Start Screen
- Deleted Start Menu Program entries go into the active user’s Recycle Bin and can be restored if necessary
- Remove System Tools, Accessories, Accessibility, Administrative Tools, Windows Store, PC Settings, Control Panel, Run, Command Prompt, and PowerShell shortcuts from Menus
Download the “Custom_RDS_Start_Menu.bat” script here.
:: RDS SERVER 2012 CUSTOM START MENU AND TASKBAR SHORTCUT REMOVAL :: Author: Nathan Thomas :: Date: 02/11/2015 :: :: This script should be ran on the RDS server after your server administrators have already :: logged in at least once so that they get all the shortcuts they need (otherwise you will :: need to manually copy them later on) but before your end users log in for the first time. :: In addition, it assumes you have not already made changes or any customizations to the :: All User's or Default User's Start Menus profiles and that you have already installed all :: of the applications that the server will be running. Please note that if you decide :: to install software after you've ran the script, you will manually have to remove that :: program from the All User's Start Menu folder and copy it to your administrator profiles :: if you want them to be able to access it. :: :: !!!IMPORTANT!!! :: Please read through the whole script first and customize it for your particular environment :: before attempting to run it on any server. @ECHO OFF :: Since there is no built-in way to zip/unzip files in Windows, we have to use an add-on VB script. :: This will auto-create the zip.vbs script in the current directory the batch file is being ran from. :: "%~dp0" Is an environment variable that gets the full path to the current batch file's directory. @ECHO InputFolder = WScript.Arguments(0)>>"%~dp0zip.vbs" @ECHO ZipFile = WScript.Arguments(1)>>"%~dp0zip.vbs" @ECHO CreateObject("Scripting.FileSystemObject").CreateTextFile(ZipFile, True).Write "PK" ^& Chr(5) ^& Chr(6) ^& String(18, vbNullChar)>>"%~dp0zip.vbs" @ECHO Set objShell = CreateObject("Shell.Application")>>"%~dp0zip.vbs" @ECHO Set source = objShell.NameSpace(InputFolder).Items>>"%~dp0zip.vbs" @ECHO objShell.NameSpace(ZipFile).CopyHere(source)>>"%~dp0zip.vbs" @ECHO wScript.Sleep 2000>>"%~dp0zip.vbs" :: The path to our new zipper script dealie whopper SET ZScriptPath="%~dp0zip.vbs" :: All User's Start Menu Path SET AUSMPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs" :: Backup a copy of the All User's folder just in case? Recommended :: default=yes SET BackupAllUsersSM=yes :: If so, where do you want to store this backup? Default is the batch file directory :: Be forewarned that if you run the script more than once and you don't change the backup :: file's name, then it could possibly get overwritten and you'd lose your original settings. SET BAUSMPath="%~dp0AllUsersStartMenu.zip" :: Back it up IF %BackupAllUsersSM%==yes ( CScript //nologo %ZScriptPath% %AUSMPath% %BAUSMPath% @ECHO Your All User's backup file can be found here: @ECHO: @ECHO %BAUSMPath% @ECHO: ) :: All User's Start Menu Path SET DUSMPath="%SYSTEMDRIVE%\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" :: Backup a copy of the Default User's folder just in case? Recommended :: default=yes SET BackupDefaultUserSM=yes :: If so, where do you want to store this backup? Default is the batch file directory :: Be forewarned that if you run the script more than once and you don't change the backup :: file's name, then it could possibly get overwritten and you'd lose your original settings. SET BDUSMPath="%~dp0DefaultUserStartMenu.zip" :: Back it up IF %BackupDefaultUserSM%==yes ( CScript //nologo %ZScriptPath% %DUSMPath% %BDUSMPath% @ECHO Your Default User's backup file can be found here: @ECHO: @ECHO %BDUSMPath% @ECHO: ) :: A switch to enable/disable the Loop and Copy section below in case you :: decide to run the script multiple times for some reason. :: default=yes SET EnableFileCopy=yes :: An array of user profile folders that you want to copy all of the stock :: Start Menu items to. This is a multiline variable that was made after the fact :: that I realized Windows usernames can contain a space character. Please read my :: important notes under the blacklist section below because the same set of :: rules applies to the formatting of this variable and it has to be exact. :: Also this only works for pre-existing user accounts, otherwise at first logon, :: it will see there is a folder already with that name and make a new one. :: Usage Example: SET ProfileList=^ "administrator^" ^ "johndoe.DMN^" ^ "nthomas" :: Loop and Copy :: Copies the all user's and default user's start menu programs folder to each profile above. :: Technically, copying the default user's profile isn't even necessary as those items :: were already copied when the users first logged in but doing it anyway just in case. IF %EnableFileCopy%==yes ( SETLOCAL ENABLEDELAYEDEXPANSION FOR %%A IN (%ProfileList%) DO ( REM Other form of comment was spewing out errors in the loop. This will strip the REM double quotes from the variable and we have to use delayed expansion in a FOR loop. SET ProfileName=%%A SET ProfileName=!ProfileName:%ProfileName%"=! XCOPY %AUSMPath% "%SYSTEMDRIVE%\Users\!ProfileName!%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" /E /H /I /Q /V /Y XCOPY %DUSMPath% "%SYSTEMDRIVE%\Users\!ProfileName!\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" /E /H /I /Q /V /Y ) ) :: So we can reuse the variables for the All User's and Default User's path and save :: some time in the next section below, we need to strip the double quotes here as well. SET AUSMPath=%AUSMPath:"=% SET DUSMPath=%DUSMPath:"=% :: Application Blacklist :: Set the list of applications that you don't want to be displayed in the Start Menu or on the :: Start Screen for your end users. Basically, here you will be deleting the entries from All User's :: and the Default User's profiles so make sure you use the variables above to back the folders :: up to somewhere if you so desire. I would highly recommend it. I chose to do it this way instead :: of changing file permissions on the shortcuts via Group Policy that leaves you with sets of :: folders in your All Programs list with entries underneath them and I didn't even want :: mess with Start Menu folder redirection because it seems way unnecessary. By removing the links :: to the Administrative Tools folder and System Tools folder, you will essentially be removing the :: ability for the taskbar shortcuts for PowerShell and Server Manager to be created at first logon. :: Also, you should prevent access to be able to run any MMC components in Group Policy or if you :: have software restriction policies set up. :: :: !!!STOP!!! MAKE SURE YOU COMPLETELY UNDERSTAND THESE INSTRUCTIONS BEFORE PROCEEDING :: For this multiline variable below to work properly: :: 1. File paths need to be in double quotes or else any space will be considered a new array entry :: 2. File paths can NOT contain wildcards such as %ALLUSERSPROFILE%\Microsoft\Windows\Start\Programs\Accessories* :: It has to be the exact path to either the folder or the file you want deleted. :: 3. Except for the very last line, every second set of quotation marks in each file path needs :: to be escaped with a caret(^) symbol. :: 4. Except for the very last line, after every second set of quotation marks in each file path, :: you need to put a space to separate each array entry followed by a caret(^) symbol to escape :: the next LINE FEED character. :: 5. Any of batch's special characters (if even allowed) in a file path may have to be escaped. :: More info can be found here: http://www.robvanderwoude.com/escapechars.php :: These were my application customizations, leaving for reference and/or for easy copy and paste :: operations or simply uncomment and run and then comment or delete the next section out. :: Again, these do NOT stop users from being able to actually open these programs, it only removes :: the Start Menu/Start Screen shortcuts. If you need that functionality, use Software Restriction Policies. :: :: SET AppBlacklist=^ :: "%DUSMPath%\desktop.ini^" ^ :: "%DUSMPath%\Documents.lnk^" ^ :: "%DUSMPath%\Pictures.lnk^" ^ :: "%DUSMPath%\System Tools\desktop.ini^" ^ :: "%DUSMPath%\System Tools\Administrative Tools.lnk^" ^ :: "%DUSMPath%\System Tools\Command Prompt.lnk^" ^ :: "%DUSMPath%\System Tools\Control Panel.lnk^" ^ :: "%DUSMPath%\System Tools\Run.lnk^" ^ :: "%DUSMPath%\System Tools\This PC.lnk^" ^ :: "%DUSMPath%\System Tools\computer.lnk^" ^ :: "%DUSMPath%\Accessibility^" ^ :: "%DUSMPath%\Accessories^" ^ :: "%DUSMPath%\Maintenance^" ^ :: "%AUSMPath%\desktop.ini^" ^ :: "%AUSMPath%\Desktop.lnk^" ^ :: "%AUSMPath%\PC settings.lnk^" ^ :: "%AUSMPath%\Immersive Control Panel.lnk^" ^ :: "%AUSMPath%\Search.lnk^" ^ :: "%AUSMPath%\Store.lnk^" ^ :: "%AUSMPath%\Windows Store.lnk^" ^ :: "%AUSMPath%\Accessibility^" ^ :: "%AUSMPath%\Accessories\System Tools^" ^ :: "%AUSMPath%\Accessories\desktop.ini^" ^ :: "%AUSMPath%\Accessories\Math Input Panel.lnk^" ^ :: "%AUSMPath%\Accessories\Remote Desktop Connection.lnk^" ^ :: "%AUSMPath%\Accessories\Snipping Tool.lnk^" ^ :: "%AUSMPath%\Accessories\Sound Recorder.lnk^" ^ :: "%AUSMPath%\Accessories\Steps Recorder.lnk^" ^ :: "%AUSMPath%\Accessories\Windows Media Player.lnk^" ^ :: "%AUSMPath%\Accessories\Wordpad.lnk^" ^ :: "%AUSMPath%\Administrative Tools^" ^ :: "%AUSMPath%\AVG^" ^ :: "%AUSMPath%\Classic Shell^" ^ :: "%AUSMPath%\Foxit Reader\Activate Plugins.lnk^" ^ :: "%AUSMPath%\Maintenance^" ^ :: "%AUSMPath%\Microsoft Silverlight^" ^ :: "%AUSMPath%\OpenOffice 4.1.1\OpenOffice.lnk^" ^ :: "%AUSMPath%\OpenOffice 4.1.1\OpenOffice Base.lnk^" ^ :: "%AUSMPath%\OpenOffice 4.1.1\OpenOffice Draw.lnk^" ^ :: "%AUSMPath%\OpenOffice 4.1.1\OpenOffice Impress.lnk^" ^ :: "%AUSMPath%\OpenOffice 4.1.1\OpenOffice Math.lnk^" ^ :: "%AUSMPath%\System Tools^" ^ :: "%AUSMPath%\VMware^" ^ :: "%AUSMPath%\WampServer" :: Either uncomment the entries above to re-use my list and then comment or delete this :: section or enter your custom folders to delete here... SET AppBlacklist=^ :: Instead of deleting the files, we will send them to the current user's Recycle Bin but again :: there is no native way to do this with the command prompt so we need yet another VB script. :: This will auto-create the recycle.vbs script in the current directory the batch file is being ran from. @ECHO InputPath = WScript.Arguments(0)>"%~dp0recycle.vbs" @ECHO Set objShell = CreateObject("Shell.Application")>>"%~dp0recycle.vbs" @ECHO Set Item = objShell.Namespace(0).ParseName(InputPath)>>"%~dp0recycle.vbs" @ECHO Item.InvokeVerb("delete")>>"%~dp0recycle.vbs" :: The path to our new recycle script dealie whopper SET RScriptPath="%~dp0recycle.vbs" :: Loop and Send Array Entries to the Recycle Bin FOR %%B IN (%AppBlacklist%) DO ( CScript //nologo %RScriptPath% %%B ) :: Cleanup DEL /F /Q /S %ZScriptPath% DEL /F /Q /S %RScriptPath% @ECHO: @ECHO Finished script processing. @ECHO: PAUSE