Customizing pinned shortcuts on the Taskbar for Windows Server 2008 R2

OK, this is one way. I am sure there are several others. Can anyone say convoluted…?

(This is mainly intended for use on Remote Desktop Servers.)

  1. Create a test user.
    My user is named Bob in this example.
  2. Log on as Bob and pin the shortcuts you want on the Taskbar, and remove the ones you do not want.
  3. Log off Bob and log on as an Administrator.
  4. Load the Default User registry hive:
    reg.exe load HKU\DefaultUser c:\Users\Default\NTUSER.DAT
  5. Load Bob’s registry hive:
    reg.exe load HKU\Bob c:\Users\Bob\NTUSER.DAT
    (Your path may be different.)
  6. Export the following key:
    (reg.exe export HKEY_USERS\Bob\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband Taskbar.reg)
  7. Edit the Taskbar.reg file:
    1. Remove the FavoritesResolve value.
    2. Change the key path from Bob to DefaultUser (this is the name in the registry path where you mounted the Default User hive). This so we can import the changes that Bob made to his Taskbar into the loaded Default User profile registry.
    3. Save and import
      The changes should now be in the Default User registry.
  8. Unload Bob’s hive and the Default User hive:
    reg.exe unload HKU\Bob
    reg.exe unload HKU\DefaultUser
  9. Navigate to the following folder in Bob’s profile:
    <Bob’s profile root>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
  10. Copy the entire contents of the folder into the same location in the Default User profile.
    (xcopy.exe “c:\Users\Bob\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\*.*” “c:\Users\Default\AppData\Roaming
    \Microsoft\Internet Explorer\Quick Launch”
  11. Run the following commands to remove the Everyone and BUILTIN\Users security principals from the Server Manager and PowerShell shortcuts. These are copied into the User Pinned folder for every new profile, and the only way to prevent this (that I have found), is to prevent access to them. The Administrator still retains access through the remaining permissions on the shortcut files.
    1. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell” /T /inheritance:d
    2. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell” /T /remove:g *S-1-1-0 *S-1-5-32-545
    3. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk” /inheritance:d
    4. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk” /remove:g  *S-1-1-0 *S-1-5-32-545
      NOTE: These file system security settings can be propagated with Group Policy Security Policies. A template file doing just that is attached to this post.
  12. Log on as another regular user (not Bob) and verify that the pinned programs are available.
  13. Duplicate the Default User profile to other servers if necessary.


Security Policy Template File