0

This isn't really a programming questions, but I'm trying to set up a folder structure in the Start Menu, on windows 7. This folder structure has several folders in it with shortcuts inside of those pointing to applications on the computer.

I don't want the user on the computer to be able to mess with that folder structure at all. Right now they are able to move, copy, or delete it from the start menu.

I have found registry edits that lock down the entire Start Menu, but I want control on just the specific folder.

Thanks!

dstew
  • 109
  • 1
  • 9

1 Answers1

0

If your users are not administrators on this machine you can just create the folder under C:\ProgramData\Microsoft\Windows\Start Menu instead of %appdata%\Microsoft\Windows\Start Menu. Then only admins can edit it.

If this is an environment where many users got admin rights things get tricks. You have tomodify the ntfs security settings and use the correct type of structure or use a symbolic link.

The problem is having folders in parallel where one is editable and one is not. This is because rights as delete are inherited from the parent. So to make it work with just ntfs rights you have to remove all rights from the parent (including inheritance) and then give all folders but the undeletable ones their rights back on a deeper level. This is problematic if there are many folders in parallel to you own one because it is a lot of work.

So the only trick to make this work that I found was creating the folder at a different place and then linking it. You would create some folder C:\MyIndestructibleFolders\MyFolder and then remove all permissions on MyFolder.

Keep in mind, that if you create a folder it might inherit a lot of permissions from it's parents overwriting things you set. The best way to avoid this is going to the "Advanced" menu of security and clear the box that says something like "Include inheritable permissions from this object's parent" If it asks for replace or remove, say remove. Then create one entry for your Admin with "Full Access" and one for "Domain Users" or "Users" with the default read settings. I also set it to "readonly" in the gui but this affects only children so might not be necessary.

Now you create a symbolic link so that this folder is seen in the start menu. Open the cmd and type

mklink /D "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Folder" C:\MyIndestructibleFolders\MyFolder

Now go to the junction in explorer and also remove all permissions. Just add full access for the administrator this time, no need for any user rights. It should now be visible in the start menu but be undeletable/-moveable

If you have to do this on several computers programmatically it might be a good idea to look into icacls.

One thing to note is that it will seem that users are still able to drag and drop items into that folder in the start menu. This is not true. What happens if you do that is that a second folder with the same name is created in the users AppData folder, the file is moved there and the contents of both folders are displayed simultaneously.

This is imo technically the best way to do it, but it's quite complicated. There is another a lot more hacky way which you can also consider. Files that are in writelock can not be moved or deleted. You can create a file "~Anchor" and make it invisible inside your folder root. Then you can use powershell to writelock it

$file = [System.io.File]::Open('C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Myfolder\~Anchor', 'Open', 'Read', 'None')

because of the name with the ~ this will be the first thing windows tries to move/delete so it will prevent the operation. If you put your powershell script in the Startup folder or create a sheduled task that upon boot will access this with system rights it should prevent deletion as well.

Syberdoor
  • 2,521
  • 1
  • 11
  • 14
  • I've tried editing the ntfs security settings and it doesn't seem to help, the user is still able to drag the folder out of the start menu and delete items within it. – dstew Oct 20 '15 at 19:59
  • I just tried it myself and it worked. Could it be that you have inheritance from parent folders? – Syberdoor Oct 21 '15 at 08:53
  • Ahh will try this today! Thanks! – dstew Oct 21 '15 at 13:37
  • I was able to stop them from being able to delete the folder structure, but they can still move it out of the start menu. – dstew Oct 21 '15 at 14:23
  • Unfortunately that is dependant on the parent again, so one way would be to have your folder in prallel to the programs folder, remove all permissions from their parent and recreate the permissions one level down in the programs folder. Users could then change everything inside programs but not your folder. Not the best method though. I'm thinking maybe one could to something with a junction or hardlink but I will have to do some tests – Syberdoor Oct 21 '15 at 15:15
  • I updated my solution with everything I found, I hope it works for you know – Syberdoor Oct 22 '15 at 07:40