22. července 2007 3:06
Is it possible to change the shell for the users to a custom shell other than explorer. The administrator ID shell should be explorer. Kindly advise.
23. července 2007 9:18
We have a group policy to configure alternate user interface [User Configuration\Administrative Templates\System\Custom user interface]. If you would like to prevent administrators from applying the group policy, you can refer to the following KBs:
Domain group policy
315675 How To Keep Domain Group Policies from Applying to Administrator
Local group policy
325351 HOW TO: Apply Local Policies to All Users Except Administrators on
However, once explorer.exe is started it becomes the default shell from that point on. To set a custom shell forever, please read the following example:
Make the following changes in registry:
1. Change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot\Shell
Old value: String: "USR:Microsoft\Windows NT\CurrentVersion\Winlogon"
New value: String: "USR: Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
2. HKCUUSERS \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value: String: "notepad.exe" (The alt shell)
3. Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SeparateProcess REG_DWord = 1 (Tells Explorer to launch as a new process)
4. Rebooted and Logged in as the test user and try.
In addition, SteadyState does not have this restriction or configuration. For further assistance on customizing the shell, you can post to Windows XP public newsgroup:
Hope this helps.
If you need further assistance, please don’t hesitate to let me know.
24. července 2007 16:34
Thank you very much for the detailed reply.
I've stopped using steady state and started working directly on local policies for my Public Kiosk desktop. I am using a customised shell for my desktop and found success to an extend.
I was able to retain my kiosk shell (as custom user interface) for the user ID and explorer shell for the admin ID. Only limitation was that, when I edited local policy again in local admin ID, all the policy restrictions were applied to local admin ID as well. (expected behaviour)
I've to again modify the policies for admin ID and copy back the saved registry.pol file.
- Is there any tool available to edit registry.pol file other than gpedit. (like poledit.exe)
Thanks again for your assistance.
25. července 2007 6:58
Yes, it is expected behavior that local group policy will be applied to administrator if you edit the group policy again. This is the reason that we suggest you using domain group policy if it is possible. In domain environment, group policy can be filtered according to security settings, such as user group information.
The Group Policy Editor tool is the recommended to edit group policy. Unfortunately, we do not have other tools which enable you edit registry.pol file directly. To read the registry.pol file, you can use the RegView tool.
Regview.exe: Registry.pol Viewer Tool
25. července 2007 17:27
Poledit.exe cannot edit the group policy files registry.pol, but you can still use it with its own ntconfig.pol file on XP to apply per user registry changes without the need for the workaround for administrators. The ability to specify a custom shell for individual users is included in the system policy template winnt.adm. Moreover, almost every group policy under "Administrative Templates" can be modified to apply as a system policy. The main disadvantage of system policies on a standalone computer is that they are persistent, or "tattoo" the registry, unless individually undone. The best way to avoid that is to apply them only to mandatory, or "locked", profiles.