I've found a way to actually hide applications (such as from the programs menu or desktop) with just group policy. What I've done in the past for some select applications is use a vb script in conjunction with software restriction policies. i.e. a logon script that checks if the user logging in is a member of a security group that grants access to Visio. If they are, have the script create a shortcut in the programs menu and where ever else. And with the Software Restriction Policies (SRP) grant access to the visio.exe. Otherwise if they're not then delete the visio shortcut and SRP will take care of the access. But this setup can take quite some time to set up with the scripting portion, but once it's set it works. If anyone knows how to hide applications with group policy and no scripts.. do share. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Wednesday, June 25, 2008 11:12 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting program access on TS using GP I just want some programs to not be visible to some users on my TS. Is GP the best way to accomplish that? ________________________________ From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] Sent: Wednesday, June 25, 2008 10:09 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Setting program access on TS using GP Well, it depends on what your definition of "set access" is. If you want to prevent them from being executed you could look at Software Restriction Policy, but be careful in your approach. If those applications are policy aware (meaning they look in the two "policy" areas of the registry), the company that made them may already have ADM templates to control some settings. Otherwise, you'll can take one of two approaches: 1. create a custom ADM for any registry controlled settings and "tattoo" them (meaning they won't undo themselves after a machine falls out of scope). This is the classic way most of us are used to OR 2. Use the new Group Policy Preference (GPP) extensions to populate the registry settings. This approach would be more similar to the way a group policy setting behaves in that you can tell GPP to remove the setting when a machine falls out of scope. As far as Office is concerned, there are already Microsoft-provided ADM templates that are part of the Resource Kits for each Office version, which will allow you to control just about anything you can imagine. You can download them from the Office downloads area. Hope that helps a little. Jamie Nelson | Infrastructure Consultant | BI&T Operations | Devon Energy | Work: 405.552.8054 | http://www.dvn.com <http://www.dvn.com/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Savanah Garrison Sent: Tuesday, June 24, 2008 7:48 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Setting program access on TS using GP I need to set access to specific programs on my terminal server using group policy. I understand that this IS possible, but that I need to add custom ADM templates for each program? Where do I find those ADM templates? I have some non-standard programs like timberline and argus as well as the normal Office suite that I would like to lock down. Thank you! Savanah Garrison IT Specialist Trademark Property Company 817.639.2708 CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited. ________________________________ Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. CONFIDENTIAL NOTICE: This electronic transmission and any documents or other writings sent with it constitute confidential information intended only for the named recipient. If you have received this communication in error, do not read it. Please reply to the sender that you have received the message in error, then delete the message. Any disclosure, copying, distribution or the taking of any action concerning the contents of this communication or any attachment(s) by anyone other than the named recipient is strictly prohibited.