Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

Start Menu Layout Group Policy

Steel Contributor

I have setup a Group Policy under User Configuration - Administrative Templates - Start Menu and Taskbar and I have Enabled Start Layout to point to my XML file which is in a shared folder. However, the start menu layout is not changing for all users. Any ideas what I can look at to fix it? Thank you.

 

GPO1.png

20 Replies

@Tim Hunter 

According to your screenshot, you try to use the layout.xml for your terminal servers. Some things to consider that might give your troubles:

  1. Make sure all users that logon to your session hosts have read access to the fileshare
  2. Make sure that you enabled group policy loopback processing for the session host computers. To apply a user policy to all users that logon to a specific computer, you have to place the policy-object in the OU-path of the computer and set gpo-loopback processing accordingly on the computer-policy for the computer.
  3. Check for a user who gets the layout not applied if the gpo is applied at least (use gpresult /r as the problematic user)
  4. Change the timestamp on the xml-file. If a user already got a layout-xml applied (does not matter when or where), it will only reapply a new layout.xml if the timestamp on the file is newer than the previous one that got applied. You can use (get-item <pathtoxml>).LastWriteTime = Get-Date for this.

@dretzer 

 

Thank you for your help!

 

1. For the folder and XML file, I have sharing for Everyone set to Read

2. Not sure how to set the loopback, I read about setting it in GPO but I could not find the option to set loopback. Any help here please?

3. Here is what it shows when I do gpresult /r

GPO2.png

4. GPO3.png

The command for the file-timestamp is wrong in your screenshot (you missed a dot and there should be = instead of - :(

(Get-Item \\DC01\Shared\IT\Layouts\layout.xml).LastWriteTime = Get-Date

 

If "Local Group Policy" is the only applied user policy, then missing loopback-processing may be your problem. As the startmenu layout setting is a user-policy, it need to be applied to user-objects, not computer-objects.

If you want to apply it for users only when logging on to your session hosts, you have to use loopbackup processing. This in effect tells a user account logging on to the computer to process any user-policy in the OU-Path of the computer-object. Be careful if you have more user-policies in this path, as all of them will apply to the user when you enable loopback processing.

To enable this set in the session-hosts computer-policy object the following:

Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy -> Configure user Group Policy loopback processing mode

Set this to enabled and the mode to "Merge". This will process any user-policy object in the path of your session host for all users logging on to it. The user policies will get merged with your normal user policies. Be careful if you never worked with loopback processing before. Check all GPOs that lie in the OU-Path of your session hosts AND your users for any user-policy-setting you might not be aware of.

 

To sum it up: Apply a gpo with the above setting to your session host computers. Then apply a gpo with the user setting for the start menu layout xml anywhere in the OU-path of your session hosts. This should apply the gpo to all users logging on to the session host (after running gpupdate /force on the session hosts of course).

@Tim Hunter 

@dretzer 

I corrected the command in PowerShell and now it says cannot access due to another process accessing the file. I am assuming that is the GPO?

GPO4.png

 

For the Loopback GPO, do I want to make a GPO just for the Loopback or can I add the Loopback policy to the Start Menu GPO that I made?

The File is open as long as a user is logged on and using it. You can only alter the xml-file when no user is using it.

 

Regarding where to put the policy setting: For best practices you should never mix computer-policies and user polices. You should use seperate user-policy objects and seperate computer-policy objects.

GPO-Design is a complicated topic though and as I can't know your adds- and gpo-design principals I really can't tell you where to put it in your environment.

It will work if you put it in the same gpo as the startmenu setting and then make sure you apply this policy to all your session hosts. The session host itself is a computer-object, and as such will only apply the computer-policies from the gpo (the loopback-processing setting). Every user that logs on to the session host will evaluate all user-policy settings that can be found in the path to the session host object in ADDS and apply them (the startmenu layout setting).

@Tim Hunter 

@dretzer 

 

When I do a gpresult /r for the problematic user, it shows that the GPO is applied. So not sure what else to check with this user.

@dretzer 

 

Any ideas if there is a way to clear out the Start Menu for that user in the Registry or somewhere? gpresult shows the correct gpo applied for the start menu layout. Thanks!

I checked the registry for the user and it shows the correct path for the start menu layout. So not really sure how to fix this now.

 

gpo22.png 

so the start menu layout on the right with the tiles is correct, however, the start menu list on the left is incorrect. Please see screenshot below. Any ideas?? Thank you.

 

gpo23.png

Startmenu Layout group policy is only for the tiles on the right side. The left side is the "All Programs" view. You can either hide it or edit it in the filesystem (no gpo needed).

The "All Programs" list follows this rules:

  1. It's always alphabetical and grouped by letter
  2. It's a sum-view of the following locations:
    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs
  3. It only supports one folder, no subfolders. Content in subfolders will be compressed to the top folder

So if you want the "All Programs"-List to contain only specific items, go to "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" and edit the shortcuts and folders in there. A user still has his own personal startmenu-shortcuts which get merged with this location.

 @Tim Hunter 

@dretzer 

 

When I go to C:\ProgramData\Microsoft\Windows\Start Menu\Programs, it shows the correct programs and shortcuts. However, as you can see in the screenshot below the items listed in the start menu are different. Very strange.

gpo11.png

Not strange at all. You have to look into the personal startmenu of the user as well. I'm sure you find the additional links and folders there. The only one missing in his start menu in the screenshot is the "AMS"-link. This one is an Interne-Shortcut instead of a normal shortcut. Only normal shortcuts will work in the startmenu. So if you want this "AMS"-Internetshortcut to be visible inside the startemenu, you have make a normal shortcut to your prefered internet browser and edit it so that it opens the URI directly.

 

The startmenu you see on the left is the SUM of the all users startmenu (C:\ProgramData\Microsoft\Windows\Start Menu\Programs) AND the current user startmenu (%APPDATA%\Microsoft\Windows\Start Menu\Programs).

Your user clearly has some software installed in his userprofile that is not installed on the server itself (Brother, keepass and malwarebytes for example).

I guess he used some user-only installers for those applications. I recommend looking at applocker to stop your users from installing software without your knowledge.

@Tim Hunter 

@dretzer 

 

There are still a bunch at the bottom of the list that do not show up in the Start Menu left side. I show the same apps and shortcuts for every other user and all of them show up in the Start Menu. And the folders like Brother, KeePass and MalwareBytes do not open when I click on them in the Start Menu and they do not show up when I go to the folder directory.

 

gpo13.png

 

@dretzer 

This user also shows Firefox in the Start Menu. Firefox is not even installed on the server. 

As I said, keepass brother and malwarebytes are part of the users personal startmenu. This is not the same as you are looking at. They are part of his user profile and you have to clean them there. If they do not open, then he already removed the associated applications.

 

For the Wynne-links: check the ACL on those shortcuts and make sure the user has full read access to this shortcuts.

It is also possible that the user profile of this user has some more serious problems (if he uses malwarebytes some day in the past, this may very well be the case).

You could move his userprofile somewhere else so that he gets a completely new profile the next time he logs on. If the startmenu works as expected with the new profile, you know that his current profile is faulty.

@Tim Hunter 

@dretzer 

How do I remove his user profile so he gets a new one when he logs in next time? Thank you!!!

That depends on your setup. Are your userprofiles local, roaming, mandatory or user profile disks?

Either way, to remove his profile, you have to make sure the user not logged on.

If the profile is local, just logon with an administrative account and open sysdm.cpl -> advanced -> user profiles settings button. There you wait until the list is populated and then you can delete the users profile there (depending on the size, this can take some time).

If it's a roaming or mandatory profile, remove the profile from your central store and remove the local cache (this can be more complicated, strongly dependand on your setup).

If you are using user profile disks (best case), just rename the vhdx-file of the disk (if you are sure about it, you can delete it instead of renaming).

 

Make sure you have a backup of the user profile before deleting anything!

@Tim Hunter 

@dretzer 

I have no local users setup. They are all RDP users, so to me that would make them raoming profiles. where is the central store? His user profile is 13GB, so it may take some time to delete, I imagine.

Sorry, but your user profile managmenet has nothing to do with RDP or not.

If you never set anything up to manage user profiles centrally, then they are local. Meaning each user has a local user profile on each of your session host servers.

You would know if you had roaming profiles, because they need to be set up in your active directory environment. So, if you never did anything special regarding profiles, all your user profiles will be local to the session host.

User profile disks would be most modern way for session host deployments. They also need setup though, so by default you would have no roaming/mandatory or upds.

If you really don't know, you should try fo figure out if any group policies regarding user profiles are active, where your profiles are stored and how they should be managed. I can't really help you there much because there are many different ways how your environment could be configured.

You can at least look inside sysdm.cpl as I told you earlier. There you can see if a profile is local or roaming. Also, if it is local, just look inside C:\Users if inside there are normal folders per user, or if those "folders" have a disk-icon instead. If they have disk-icons, you are using user profile disks.

@Tim Hunter