I was at a client site one day where they were doing some UAT on a new published desktop. One executive-level tester highlighted the fact that users could rename the My Computer and Recycle Bin icons on the desktop. Every workplace has one – some comic genius who renames My Computer to Sh*tpile or something similarly eye-wateringly amusing. Now, without getting into the debate of technology versus behaviour, the upshot was that we were asked to find a way to prevent users of the published desktop being able to engage in this hilarious activity.
A bit of Googling suggested that to prevent users from doing this, we needed to change the permissions on the following Registry key:-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID
so that the users we want to exclude from renaming the icons only have Read access to the key.
Now, I can hear the AppSense sceptics already, that can easily be done by a Group Policy Object. Actually, though, can it? You can only edit Registry permissions in Computer Configuration | Windows Settings | Security Settings | Registry – but the key we need to change is in the HKCU hive. You can’t set Registry permissions through Group Policy Preferences either, so Group Policy won’t actually be able to cut it.
Rather disappointingly, though, in its current format, AppSense Environment Manager doesn’t have the tools to do it natively either – although I am reliably informed that this functionality is coming to a future version of the software (but don’t quote me on that). To get this done, then, it’s either use a Group Policy Logon Script or an AppSense EM Execute action. Naturally, as this was an AppSense customer already, the Execute action was the winner.
There are various methods we could choose to do this – VBScript, PowerShell (now supported natively in EM), old tools like regini.exe – but as I am a bit of a batch dinosaur I opted for a bit of subinacl.exe. This tool is available for download from Microsoft here (sadly it doesn’t come built-in to the OS, which I reckon it should). Naturally you’ll need to copy this out to your servers/desktops, so you may need to do a bit of scripting or some base image editing.
Then we just need to put the command together to change this. The command is shown below
subinacl /subkeyreg HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID /grant=%userdomain%\%username%=R > NUL
Once we’ve saved this into a command script (which we placed on the netlogon share, but can go anywhere that all users can access with Read permissions), we simply add an Execute action to the Logon trigger which runs this for all non-admin users. We add this through Action | Custom & Execute | Execute
Once this is done, we save and deploy the configuration, and then when the users log back in, we no longer have to put up with imaginative renaming of the base desktop icons. Hopefully the capability to alter Registry permissions will soon be added to Environment Manager natively (both for standard Actions and Self-Healing), so that we don’t have to engage in a bit of subinacl-based jiggery-pokery to get this done. And give it another advantage over Group Policy! 🙂