Home > PowerShell Scripting, Workspace Manager, XenApp > Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment.

Removing users access to “Devices and Printers” in a Server 2008 R2 / Win 7 Environment.

I love a good challenge. Recently I read the following article from Microsoft about how to tackle the title of this blog. This hack didn’t actually stop the users from accessing the cpl as clever users will just use rundll32 to get around the limitation. This also knocked other “show the following control panel items” policies out.

This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.

The culprit can be seen below:

This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.

Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.

To remove this folder view for all users, its time to hack the registry!

The Class ID belonging to this start menu item can be found here:

HKEY_CLASSES_ROOT\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}

This dastardly key also has a 32bit relation that can be found here:

HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}

As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.

So below you will find the steps to take to remove this item:

  1. Take a backup of this key, you’ll thank me if you get it wrong!
  2. Browse down to HKEY_CLASSES_ROOT\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
  3. right click this key, choose permissions, click advanced then owner
  4. Select administrators from the list, then choose “Apply”.
  5. browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
  6. Click “apply”, then “ok”.
  7. Repeat step 2 to 6 on HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}
  8. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.

PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.


## #############################################################################
## 	Restrict certain Explorer items via registry key.
## #############################################################################
if (!(get-psdrive hkcr -ea 0)){New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | out-null}

 function get-elevatedprivileges{
$definition = @"
    using System;
    using System.Runtime.InteropServices;

    namespace Win32Api
    {

       public class NtDll
       {
          [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
          public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
       }
    }
"@
    Add-Type -TypeDefinition $definition -PassThru | out-null

    $bEnabled = $false

    # Enable SeTakeOwnershipPrivilege
    $res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
}

function take-ownership{
    param(
        [Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
        [string]$regkey)
    $key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($regkey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
    $acl = $key.GetAccessControl()
    $acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")

    #taking ownership first
    $key.SetAccessControl($acl)

    #my bit - give admin full access
    $rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators","FullControl","allow")
    $acl.addaccessrule($rule)
    $key.SetAccessControl($acl)
    #end bit

}#end ownership function.

function remove-useracl{
     param(
        [Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
        [string]$regkey)
    write-host "$regkey"
    #remove inheritance
    $acl = Get-Acl $regkey
    $acl.SetAccessRuleProtection($true, $true)
    set-acl $regkey -aclobject $acl
    
    #Remove users
    $acl = Get-Acl $regkey
    foreach ($rule in $acl.access){if ($rule.identityreference -eq "BUILTIN\Users"){$acl.RemoveAccessRuleSpecific($rule)}}
    set-acl $regkey -AclObject $acl
}#end acl function.


#define keys to be restricted
$keys=@("CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}", # printers and devices
"Wow6432Node\CLSID\{A8A91A66-3A7D-4424-8D24-04E180695C7A}" # 32bit Printers and devices
)

#elevate priviledges

get-elevatedprivileges

#restrict each key
foreach ($key in $keys){
    if (test-path "hkcr:\$key"){
        take-ownership -regkey $key
        remove-useracl -regkey "hkcr:\$key"
    }
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: