One of the common lock down’s that administrator apply to Remote Desktop Services Servers (a.k.a. Terminal Services (a.k.a. Citrix)) is to remove all but the essential control panel items.
Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.
Below I will explain the new way of configuring control panel items for Windows 7 and show you the affect that this has on the control panel.
Before you begin I recommend that you take a look at http://msdn.microsoft.com/en-us/library/ee330741(VS.85).aspx which lists all the Canonical names for the control panel items for Windows 7. You will need to know what CN of the item you want to restrict or allow.
Note: In this example we are only going to show the control panel items we want to see (white list) however if you use the Hide specified Control Panel items policy setting you can black list only the items you don’t want listed.
Step 1. Edit the Group Policy object that is applied to the users that you want to apply the Control Panel configuration.
Step 2. Navigate to User Configuration > Policies > Administrative Templates > Control Panel
Step 3. Double click on the Show only specified Control Panel items setting then check Enabled and then click then Show button.
Step 4. Now you have the Show Contents dialog box open you need to visit the web site that list the names at Canonical Names of Control Panel Items and copy the Canonical name for the control panel item you want to display.
Paste the name into the value field enter the canonical name of the control panel item you want to show in the Value field and click OK.
You will now see that the only available control panel item is the Region and Language options (see below).
However this view is somewhat confusing for users as they can still click on the category but there are not items to display (see below).
To get around this problem also enable the Always open All Control Panel Items (a.k.a Force classic Control Panel) when opening Control Panel setting in the same GPO.
Note: This option is probably not needed if you used the Show only specified Control Panel setting instead.
Now when the users open control panel they will only see the specific control panel items you have allowed without the empty categories.
Blog Post: How to show or hide Control Panel items in Windows 7 using Group Policy http://bit.ly/9LHHtb
How to show or hide Control Panel items in Windows 7 / RDS using Group Policy http://j.mp/bzlwJx
RT @xenappblog: How to show or hide Control Panel items in Windows 7 / RDS using Group Policy http://j.mp/bzlwJx
RT @xenappblog: How to show or hide Control Panel items in Windows 7 / RDS using Group Policy http://j.mp/bzlwJx
So if you need 1 policy that locks down both XP users and Win 7 users, you need to add both sets of entries to the GPO?
I am not certain… but i would asume yes.
How to show or hide Control Panel items in Windows 7 using Group Policy http://bit.ly/a2F4SC
RT @JimMoyle: How to show or hide Control Panel items in Windows 7 using Group Policy http://bit.ly/a2F4SC <Pre 7 names worked too: Printers
Is there a document which specifically outlines why control panel items should be hidden? What is the security risk of leaving them exposed? If users are logging onto a Windows 7 workstation as a regular user, not a local admin, is it really necessary to hide control panel items? Can someone point me to a best practices or justification document for hidding control panel items?
I use the “show only specific items” GPO. How can I enable the “igfxcpl.cpl” (Intel Extreme Graphics)? Using the filename doesn’t work.
Thanks, I’ve been looking for a way to prevent the kids from accessing some of the menus.
Hello to every body, it’s my first pay a visit of this web
site; this webpage contains awesome and truly excellent material for readers.
Have a look at my webpage :: minneapolis house rentals
Hello. I want to know how can i show the Java control panel Ãtem with this GPO.
Thank you very much.