[Takaharu]

When I was at school and later when I went to college the computers that I used had customised Start menus that hid items on the Start menu that they didn't want students to be able to access (like Paint, Command Prompt, etc).
I've been through Active Diectory's Group Policies time and again but I don't see a way to hide items on the Start Menu without the aid of Server 2008's added Start menu preferences. I know that you can prevent access to the command prompt, stop specified EXEs from running, etc, along with the ability to remove everything except "All Programs" but I haven't found how to hide (for example) Accessories from the Programs menu.
There is an option called something like "display all users icons on desktop" that's supposed to remove common programs from the Start menu (I think that was the one) but it isn't flawless.

Does anyone know how to go about doing this?

[charm_quark]

sorry man! the only thing that i know of is some sort of programs that do that! that restrict! all else is registry tweaks

[GigaWatt]

yeah, in windows nothing is flawless... LOL

they used to do that on PII rigs with WIn98 when i was in highschool... open up msword, cilck File->Open, browse to a folder, right click on the folder, choose Explore, and voila, you can browse trough the whole computer and open up anything you like...

sorry man, i really have no idea how they did that, but i think they used some sort of a program to do it, and even that wasn't flawless... LOL

but, i've seen it done flawlessly (from 5 min sitting on the PC perspective) in Windows NT 5.0... i would give it a shot under Windows Server 2003, it's almost the same as XP in feel and touch, except it has more advanced management services, which you don't need to use if you don't want to...

EDIT: if you do happen to achieve this under XP, or Server 2003, or any other Windows OS, please post how you did it, i'm sure other users (including myself) would find the information handy...

[Takaharu]

GigaWatt - With Server 2008 (and undoubtedly 2008 R2) it's really easy; Server 2008 adds a new section to Group Policies known as Preferences. In the Preferences section you can customise the Start Menu, registry entries and services. The registry entries and Start menu customisations you can separate between XP and Vista - there are separate settings for both. I'd assume pre-R2 the Vista settings would also apply to Win7 as they are almost identical. After choosing the customised settings that you want you'll need Group Policy Client Side Extensions if you're using XP SP2/SP3 or, if you're using Vista, they should apply without patching the OS.
If you don't have Server 2008 then you should be able to do some fancy tweaking if you have a Vista client in your network (that has domain admin rights) and a server that is compatible with Active Directory (Ie: Server 2000 onwards). It's a long process to try and explain everything in a single post but you'd need to enable the hidden administrative tools that allow you to access the Group Policy Management Console in Vista. Prior to customising the Group Policies that you want you'll also need to scout around the Microsoft website to find a suitable patch that will allow your server operating system to recognise the Group Policies. You won't be able to customise Server 2008 Group Policies on a server that is older than Server 2008 but you can enable the server to recognise the Group Policies if you customise them on a Vista/Win7 machine. After applying the necessary patches to the domain controller just customise the Group Policies that you want and voila, you should have Server 2008 policies on a pre-Server 2008 domain controller.
On our network we have a Server 2008 Standard as the PDC and Server 2003 Standard on the BDC - the BDC can't customise the Server 2008 Group Policies but it maintains them.

If you customise the Start menu through Group Policy Preferences and apply the Client Side Extensions patch you shouldn't have any problems with the customisations being kept. The problem is going round each and every computer one by one and applying the patch whilst logged on as an administrator, unless you have WSUS installed and running (in which case you can push the patch onto all of the PCs). Because all of the computers in our company that I want to lock down the Start menu for are not local/domain admins they they can't use Windows Updates, which renders WSUS useless.
At the moment I've managed to get the patch applied to a fair number of computers on the network but it's a very tedious task and as it's a 24/7 company that runs at full capacity most of my working day it's not easy to find a time when the computers aren't in use. I've applied a startup script that (amongst other things) fires off a small app called Winkey Kill that, as expected, disables the Windows Keys and Ctrl+Esc. Tied in with another small app that disables the Start button it works about 40% of the time. Usually they'll have the Windows key disabled but the Start button enabled so it's a bit of a pain. For a while I did have a registry setting that disabled the Windows keys using Scancode Map in Keyboard Layout but it often swapped keys around or disabled some letters so I had to get rid of it.
I've tried loads of ways to get these systems locked down and I've gone above and beyond the standard abilities of Group Policies trying to do it, aidied by VBS scripts that I've learned how to make in the process for logon scripts but there are still some things I've yet to lock down.

The best part? I'm not even supposed to touch Active Directory, really; I'm an IT Technician and my job's supposed to be just to maintain computers and assist where needed. I took on the responsibilities of maintaining the domain controllers because it needed doing.
Well, that's enough of my story. Back to the topic at hand.