-3

We recently began rolling out 2016 boxes at my place of employment and part of the process I'm going through right now is making the user profiles as 'user friendly' as possible.

As you probably know Server 2016 has the Windows 10 start menu configuration which, unfortunately for my particular situation, makes Administrative Tools, PowerShell, etc extremely easy to get to for our clients who will not be able to run them but I would like to avoid the possible negative impression/misconception of there being something wrong with the server that they might have if they do try to run any of those shortcuts so....

I'm trying to get a batch file together that I can run either logged in as each user or from my own domain admin profile and have the folders deleted from appdata roaming and appdata local that contain these shortcuts....I would not want to delete my fellow domain admins shortcuts only the client's.

Here is what I have so far which does not work perfectly..I have cobbled this together from various scripts I've come across as I am relatively inexperienced with coding these....in my test environment it is affecting multiple profiles though I didn't realize it was going to and it is really only working for the WinX shortcut folder...it is removing that but the other folders remain....

Any help at deciphering my incompetence here would be greatly appreciated..

@ECHO OFF

:START
cls
cd %USERPROFILE%
cd..
set profiles=%cd%

for /f "tokens=* delims= " %%u in ('dir /b/ad') do (

cls
title Removing %%u Unnecessary shortcuts from roaming. . .
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System" echo Deleting....
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System" cd "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System"
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System" del *.* /F /S /Q /A: R /A: H /A: A
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System" rmdir /s /q "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows System"

cls
title Removing %%u More unnecessary shortcuts from roaming. . .
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools" echo Deleting....
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools" cd "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools"
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools" del *.* /F /S /Q /A: R /A: H /A: A
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools" rmdir /s /q "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Administrative Tools"

cls
title Removing %%u Even more unnecessary shortcuts from roaming. . .
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell" echo Deleting....
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell" cd "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell"
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell" del *.* /F /S /Q /A: R /A: H /A: A
if exist "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell" rmdir /s /q "%profiles%\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell"

cls
title Removing %%u Unnecessary shortcuts from WinX Menu. . .
if exist "%profiles%\%%u\AppData\Local\Microsoft\Windows\WinX\Group3" echo Deleting....
if exist "%profiles%\%%u\AppData\Local\Microsoft\Windows\WinX\Group3" cd "%profiles%\%%u\AppData\Local\Microsoft\Windows\WinX\Group3"
if exist "%profiles%\%%u\AppData\Local\Microsoft\Windows\WinX\Group3" del *.* /F /S /Q /A: R /A: H /A: A
if exist "%profiles%\%%u\AppData\Local\Microsoft\Windows\WinX\Group3" rmdir /s /q "%profiles%\%%u\AppData\Local\Microsoft\Windows\WinX\Group3"

)

cls
goto END

:END
exit
therealslimbrady
  • 1
  • 3
  • 3
    Your code is a mess. Please [edit] to format it properly. If you're not sure how, click the ? above the top right corner of the text area and read the information provided. Also, FWIW, your approach is entirely wrong. You should be using a group policy for this instead; it would remove the menu items for you for non-admin users without deleting anything manually. It would also make those menu items available for admins, again automatically. – Ken White Dec 04 '16 at 00:14
  • To clarify the issue using group policy approach: Policies are already in place that prevent users from being able to run these shortcuts. What it doesn't do is remove them from visibility/unpin them from start. I have to manually unpin from start and manually go in and either change the NTFS permissions on the folders containing the shortcuts or delete them to be able to provide the environment I am striving for to the clients. As you can imagine this gets to be time consuming with 30+ users on each server. – therealslimbrady Dec 04 '16 at 05:15
  • Are you all just voting negatively on my question because you don't have an answer or what is the problem? – therealslimbrady Dec 05 '16 at 18:55

1 Answers1

0

I was able to find a solution that works for the time being using icacls. Removing permissions from the shortcut folders makes them vanish. I'm sure something not requiring input could be whipped up in PowerShell but I have neither the experience nor the time to get something fancier written up. This works for my situation and I hope it can help someone else out there as well. 

@echo off

echo Press the Enter Key To Begin
pause > NUL


::first I had to use takeown for just this folder as it was denying any modification of permissions I was attempting with icacls

takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /R /A

::Next I go in and set the permissions for the shortcuts in ProgramData which are not profile specific and have "Everyone" and "Users" included by default. 
::I have used asterisks for security reasons but they are not part of the live code.

icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /inheritance:r /remove:g Everyone 
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /remove:g Users 
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /grant "Administrators:(CI)(OI)(F)" 
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /grant "*****\Domain Admins:(CI)(OI)(F)" 
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /grant "*****\Domain Admins:(CI)(OI)(F)" 
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /grant "*****\*** Support:(CI)(OI)(M)" 

cls

goto Second

:Second

set /p USER=What is the name of the Userprofile being modified? 
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Server Manager.lnk"
icacls "C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /inheritance:r /remove:g %USER%
icacls "C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools" /inheritance:r /remove:g %USER%
icacls "C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell" /inheritance:r /remove:g %USER%
icacls "C:\Users\%USER%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools" /inheritance:r /remove:g %USER%
icacls "C:\Users\%USER%\AppData\Local\Microsoft\Windows\WinX\Group3" /inheritance:r /remove:g %USER%
del "C:\Users\%USER%\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"


echo.
echo.
echo Operation completed.

goto Second

End

Funny tidbit I discovered after a frustrating 10 minute period of confusion....Despite everything in the properties for the shortcut for control panel clearly stating the name of the shortcut is "Control Panel.lnk" the actual name of the shortcut is "4 - Control Panel.lnk" Not sure how universal that naming scheme is but that is what is was on the server I was working on and seems to be the name for the subsequent servers I've ran my batch file on.

therealslimbrady
  • 1
  • 3