I got several requests and questions about customizing and managing a redirected Start Menu when using a Full Desktop session collection. This post will cover the basics for doing that and is based on implementations we have done for real customers, on Windows Server 2012.
The methods I describe below are therefore meant for Windows Server 2012 RDS environment, but work on Windows 2012 R2 RDS as well.
I used the setup from the Step by Step Windows 2012 R2 Remote Desktop Services – Part 1 post as a base for this guide, so check that post for details on how to set that up in a lab.
I added the “Desktop Experience” feature to the ITWRDS01. This is not a requirement, but was part of another experiment. I realized I left it there when I was almost done with documenting this post.
First things first, let’s prepare this environment for Start Menu redirection.
Creating the Start Menu redirection location
To redirect the Start Menu we need a folder structure that is going to hold the redirected Start Menu. Since the setup I am using only has two servers, a Domain Controller and a Remote Desktop Services server, I will use the Domain Controller to hold this folder structure.
I created the following folder structure:
I shared the “Redirection” folder. No additional settings for this share have been changed here.
Next we’ll need to enable access-based enumeration on the shared folder. To do this open Server Manager on the Domain Controller.
Creating the Start Menu redirection Group Policy Object
As creating the Domain and adding the RDS Server was not covered in the Step-by-step guide, make sure you create an Organizational Unit that holds the RDS Server object.
Now create a new Group Policy Object. For this guide I named it “RedirectedStartMenu”.
Configure three settings in this GPO:
Turn on Loopback processing. You can find this setting by navigating to Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Configure user Group Policy loopback processing mode. I set it to “Replace” but it all depends on how you configured Group Policies in your domain.
Turn on Start Menu redirection. Navigate to User Configuration -> Policies -> Windows Settings -> Folder Redirection -> Start Menu.
On the Target tab:
Select the Basic setting, since we’re going to redirect for all users in this guide. In the Target folder location box select “Redirect to the following location” and point the Root Path to the share, but include the Start Menu folder in the folder structure.
Creating a temporary user to configure Start Menu redirection settings
The redirected folder structure needs to meet specific requirements. There are several options to configure these requirements. I find the easiest way is to create a temporary user and let this user’s Start Menu be redirected to the predefined folder structure once. That’s why I left “Move the contents of Start Menu to the new location” checked in the Settings tab for the redirection policy.
Create a temporary user and add this user to the Domain Admins group. This is probably too much, but since it’s a temporary user I don’t care about that. I created the user “redirection”.
Completing the Start Menu redirection pre-requisites
Log on to the Full Desktop using the temporary user to redirect the contents of the default Start Menu to the redirected Start Menu folder structure.
Cleaning up before proceeding
Since the basic structure is now in place, let’s clean up a little bit before proceeding.
Remove the temporary user from the Domain Admins group. Do not delete the user, just remove it from the group.
Open the Start Menu redirection policy and remove the check we left in place when we created the policy:
Creating the custom Start Menu
Now let’s have a look what all these preparations have left us with. RDP to the server and log in with the temporary user.
Do not log off the RDS session just yet.
Log on to the RDS Server with an admin account and install a couple of utilities. For this setup I installed Notepad++ (http://download.tuxfamily.org/notepadplus/6.5.5/npp.6.5.5.Installer.exe), Foxit Reader (http://www.foxitsoftware.com/Secure_PDF_Reader) and WinMerge (http://winmerge.org/downloads).
You can log off the admin account from the RDS Server now.
A user’s Start Menu for a user that does not have a profile yet will be created from the All User’s Start Menu, which is located in “\\itwrds01\c$\ProgramData\Microsoft\Windows\Start Menu\Programs”, and from the Default User’s Start Menu, which is located in “\\itwrds01\c$\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs”.
Log on to the Domain Controller.
Create two folders:
From the All User’s Start Menu path, copy the following items:
Desktop.lnk to \\itwdc01\redirection\startmenu\programs
Windows Accesories\Calculator.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Windows Accesories\Calculator.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Windows Accesories\Paint.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Windows Accesories\Wordpad.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Foxit Reader\Foxit Reader.lnk to \\itwdc01\redirection\startmenu\programs\extra
Notepad++\Notepad++.lnk to \\itwdc01\redirection\startmenu\programs\extra
WinMerge\WinMerge.lnk to \\itwdc01\redirection\startmenu\programs\extra
From the Default User’s Start Menu path, copy the following items:
Winodws System\Control Panel.lnk to \\itwdc01\redirection\startmenu\programs
Winodws System\File Explorer.lnk to \\itwdc01\redirection\startmenu\programs
Windows Accessories\Notepad.lnk to \\itwdc01\redirection\startmenu\programs\accesories
Now switch to the All Programs screen on the RDS Session for the temporary user again:
A few things have changed. You can see the application links we added to the Programs folder in the redirected Start Menu. Those are visible in the left most column, ungrouped. The folders we created however (Accessories and Extra) including the program links we copied there, are seen grouped by their folder name. How cool is that? The groups correspond to the folders in the redirected Start Menu folder structure. You can rename these on the fly and your changes will reflect in the user’s session immediately should the need arise. And it gets better..
Switch back to the Start Menu and add programs and groups to make it look like this:
How to add program links to the Start Menu like this or how to group them and name those groups is not part of this guide and should be common knowledge for IT pros ;)
Again, leave the temporary user logged on to the RDS Session.
The next step is based on Windows 2012 RDS but works on Windows 2012 R2 RDS as well. There’s a different method available that works on Windows 2012 R2 RDS only, but I’m not going into that right now.
The Start Menu layout and icons is kept in the user profile. To force this layout to all users, we simply copy this file to the Default User’s profile on every RD Session Host in the deployment. To distribute this file or updates to this file to users that already have a profile is beyond the scope of this post. This post is just a guide that shows a method to ensure all users that don’t have a profile yet will get the default Start Menu layout. So preferably deploy this method before allowing users access to your RDS farm.
From the Domain Controller copy the following file:
\\itwrds01\c$\users\redirection\appdata\local\microsoft\windows\appsFolder.itemdata-ms to \\itwrds01\c$\users\default\appdata\local\microsoft\windows
After the file is copied set it to read-only (the one in the Default User’s profile, not the original file!).
The reason we need to do this is that only read-only files will be copied from the Default User’s profile to a new user profile upon creation. This presents a new problem though. If this file in the new profile remains read-only, which it will if we don’t act on it, the user wouldn’t be able to change anything in the Start Menu.
So open the RedirectStartMenu Group Policy again.
Navigate to User Configuration -> Preferences -> Windows Settings -> Registry
Add a new Registry Item.
Key Path: Software\Microsoft\Windows\CurrentVersion\Run
Value name: Metro fix
Value type: REG_EXPAND_SZ
Value data: c:\windows\system32\attrib.exe %USERPROFILE%\appdata\local\microsoft\windows\appsfolder.itemdata-ms –R
The result looks like this:
I know this is a rather dirty fix, but it gets the job done.
I tested the whole thing by logging of the temporary user. Then I deleted the local profile (In the original setup I had no profile disks configured, so by default users get a local profile) and logged in again.
Yes, still looks good. Checking the read-only attribute on the appsFolder.itemdata-ms for the temporary user (in my case located in \\itwrds01\c$\users\redirection\appdata\local\microsoft\windows):
Looking good, so the policy to remove the read-only attribute works.
Remember that we enabled access-based enumeration on the share? Let’s put that in effect now.
Create a Global Security group in Active Directory called “RDS Extra Applications” or whatever you see fit to call it.
Don’t add any users yet.
Browse to \\itwdc01\redirection\startmenu\programs and open the security tab for the Extra folder.
Click Disable inheritance, and then select to Convert inherited permissions into explicit permissions on this object.
Then click OK.
Click Edit, and remove the Users group from the list.
Click Add, and add the Global Security group we created earlier.
Do not change the default rights for this group, effectively granting it Read access.
Log on to an RDS Session with a test user (Jan Klaassen in my setup).
And the group “Extra” is gone. So what happened here? We limited the Extra folder, and the applications in it, to the security group “RDS Extra Applications”. Since Jan is not a member of this group access-based enumeration refuses to show the contents when browsing the folder, and this works for the new Start Menu as well.
Now for the cool part of this. Log the test user out of the RDS Session, add the test user to the “RDS Extra Applications” security group.
This post showed a way of managing a dynamic Start Menu and access to application links for the Start Menu and All Programs Section for Windows 2012 RDS.
Things to consider:
If the user has access to the drive where the applications are installed the user is still able to launch the application. Again, there are several options to prevent that, but locking down the rest of the RDS Session Host is not in the scope of this post.
If you add program folders to the redirected Start Menu they do get added to the All Programs section, but you need to redo the Start Menu layout bit to design a new Start Menu file. You then need to distribute it in some way to all the user who already have a profile, but it would override any customizations those users may have done themselves.
And till next time,