I recently deployed a small Windows Server 2008 R2 Remote Desktop Services environment and experience an issue where I could not hide the administrative tools folder that is inherited as a part of the default user profile. This meant that when a user connected to the session host (Terminal Server) they could see the administrative tools icon and associated MMC snap-in’s on the Start Menu. After trawling through all user based group policy objects, I realised hiding the administrative tools folder was not possible. To achieve this, I created a custom ADM template that could be imported into a Group Policy Object in order to hide the administrative tools entry. The steps I performed are featured below:
1. On a Windows Server 2008 R2 machine, with the Group Policy Management console installed, download and place the custom ADM file in the C:\Windows\inf. The ADM template (rdsadmintools.adm) can be download here, please right click the link and select Save Target As.
2. Edit your existing user lockdown Group Policy Object. Expand the user configuration, polices, then right click Administrative Templates and select Add/Remove Templates.
3. In the Add/Remove dialog box, select Add and then browse to the rdsadmintools.adm file and click ok followed by clicking close.
4. You should now see a “Classic Administrative Templates (ADM)” folder under the main Administrative Templates container. Double click this container and then double click the Remote Desktop Services container to reveal the GPO.
5. Double click the “Remove Administrative Tools From the Start Menu” GPO, click Enable and then using the drop down select box select “Off” and click ok.
Your all done, when logging in as a remote desktop services user you should now no longer be able to see the administrative tools start menu item.