locked
Custom Shell RRS feed

  • Question

  • Hi

     

    Is it possible to change the shell for the users to a custom shell other than explorer. The administrator ID shell should be explorer. Kindly advise.

     

    Brgds

    Shanavas

    Sunday, July 22, 2007 3:06 AM

Answers

  • Hi Shanavas,

     

    Yes, it is expected behavior that local group policy will be applied to administrator if you edit the group policy again. This is the reason that we suggest you using domain group policy if it is possible. In domain environment, group policy can be filtered according to security settings, such as user group information.

     

    The Group Policy Editor tool is the recommended to edit group policy. Unfortunately, we do not have other tools which enable you edit registry.pol file directly. To read the registry.pol file, you can use the RegView tool.

     

    Regview.exe: Registry.pol Viewer Tool

    http://technet2.microsoft.com/windowsserver/en/library/9646c6fd-0318-477a-9dc4-c8aac71e6b881033.mspx?mfr=true

    Wednesday, July 25, 2007 6:58 AM
  • Shavanas,

     

    Poledit.exe cannot edit the group policy files registry.pol, but you can still use it with its own ntconfig.pol file on XP to apply per user registry changes without the need for the workaround for administrators.  The ability to specify a custom shell for individual users is included in the system policy template winnt.adm.  Moreover, almost every group policy under "Administrative Templates" can be modified to apply as a system policy.  The main disadvantage of system policies on a standalone computer is that they are persistent, or "tattoo" the registry, unless individually undone.  The best way to avoid that is to apply them only to mandatory, or "locked", profiles.

     

    Franklin

    Wednesday, July 25, 2007 5:27 PM

All replies

  • Hi Shanavas,

     

    We have a group policy to configure alternate user interface [User Configuration\Administrative Templates\System\Custom user interface]. If you would like to prevent administrators from applying the group policy, you can refer to the following KBs:

     

    Domain group policy

    315675 How To Keep Domain Group Policies from Applying to Administrator

    http://support.microsoft.com/?id=315675

     

    Local group policy

    325351 HOW TO: Apply Local Policies to All Users Except Administrators on

    http://support.microsoft.com/?id=325351

     

    However, once explorer.exe is started it becomes the default shell from that point on. To set a custom shell forever, please read the following example:

     

    Make the following changes in registry:


    1. Change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot\Shell


    Old value: String: "USR:Microsoft\Windows NT\CurrentVersion\Winlogon"
    New value: String: "USR: Software\Microsoft\Windows NT\CurrentVersion\Winlogon"

    2. HKCUUSERS \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    Value: String: "notepad.exe" (The alt shell)

    3. Set HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SeparateProcess REG_DWord = 1 (Tells Explorer to launch as a new process)

    4. Rebooted and Logged in as the test user and try.

    In addition, SteadyState does not have this restriction or configuration. For further assistance on customizing the shell, you can post to Windows XP public newsgroup:

     

    http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windowsxp.accessibility&cat=en_us_c76c1061-ff60-4921-8dde-b885ffd6b9eb&lang=en&cr=us

     

    Hope this helps.

     

    If you need further assistance, please don’t hesitate to let me know.

    Monday, July 23, 2007 9:18 AM
  • Hi Robert

     

    Thank you very much for the detailed reply.

    I've stopped using steady state and started working directly on local policies for my Public Kiosk desktop. I am using a customised shell for my desktop and found success to an extend.

    I was able to retain my kiosk shell (as custom user interface) for the user ID and explorer shell for the admin ID. Only limitation was that, when I edited local policy again in local admin ID, all the policy  restrictions were applied to local admin ID as well. (expected behaviour)

    I've to again modify the policies for admin ID and copy back the saved registry.pol file.

    • Is there any tool available to edit registry.pol file other than gpedit. (like poledit.exe)

    Thanks again for your assistance.

     

    Shanavas 

    Tuesday, July 24, 2007 4:34 PM
  • Hi Shanavas,

     

    Yes, it is expected behavior that local group policy will be applied to administrator if you edit the group policy again. This is the reason that we suggest you using domain group policy if it is possible. In domain environment, group policy can be filtered according to security settings, such as user group information.

     

    The Group Policy Editor tool is the recommended to edit group policy. Unfortunately, we do not have other tools which enable you edit registry.pol file directly. To read the registry.pol file, you can use the RegView tool.

     

    Regview.exe: Registry.pol Viewer Tool

    http://technet2.microsoft.com/windowsserver/en/library/9646c6fd-0318-477a-9dc4-c8aac71e6b881033.mspx?mfr=true

    Wednesday, July 25, 2007 6:58 AM
  • Shavanas,

     

    Poledit.exe cannot edit the group policy files registry.pol, but you can still use it with its own ntconfig.pol file on XP to apply per user registry changes without the need for the workaround for administrators.  The ability to specify a custom shell for individual users is included in the system policy template winnt.adm.  Moreover, almost every group policy under "Administrative Templates" can be modified to apply as a system policy.  The main disadvantage of system policies on a standalone computer is that they are persistent, or "tattoo" the registry, unless individually undone.  The best way to avoid that is to apply them only to mandatory, or "locked", profiles.

     

    Franklin

    Wednesday, July 25, 2007 5:27 PM