Citrix Consulting Services
Registry Settings Reference
Registry Hive/Sub-Key / Key Name / Key Type / Value / Description / CCS Key? /Desktop Settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoCommonGroups / REG_DWORD / 0 or 1 / Common Program groups do not appear on Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoDesktop / REG_DWORD / 0 or 1 / Hide all desktop icons.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoDrives / REG_DWORD /
Decimal value
/ Hide specified drive icons in My Computer, Explorer, and Open/Save dialogs (still viewable from File Mgr). To implement, list alphabet in reverse order (Z to A), indicate “1” for each drive to hide, and “0” for each drive to display; this will result in a 26-bit binary string which may be converted to decimal format for a Registry entry. Ex: binary string to hide drives A: and C: is “101”, converted to decimal is 5.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoFileMenu / REG_DWORD / 0 or 1 / Remove the File menu from Windows Explorer.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoFind / REG_DWORD / 0 or 1 / Remove the Find command from the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSetConnectDisconnect / REG_DWORD / 0 or 1 / Removes Map Network Drive and Disconnect Network Drive menu items from Explorer and popup menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoNetHood / REG_DWORD / 0 or 1 / Remove Network Neighborhood icon and prevent access from Explorer (does not prevent command prompt access).
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoRun / REG_DWORD / 0 or 1 / Remove Run command from Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSetFolders / REG_DWORD / 0 or 1 / Remove Control Panel, Printers, and My Computer icons in Explorer and on the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSetTaskbar / REG_DWORD / 0 or 1 / Only Drag & Drop may be used to alter the Start menu and Desktop. The Taskbar option does not appear in the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoTrayContextMenu / REG_DWORD / 0 or 1 / Popup menus do not display upon right-click of the Taskbar, Start button, clock, or Taskbar application icons.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoViewContextMenu / REG_DWORD / 0 or 1 / Popup menus do not display upon right-click of the desktop or Explorer’s results pane.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / RestrictRun / REG_DWORD / 0 or 1 / Only programs defined in a related Registry key may run. The other key is:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policiies\Explorer\RestrictRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoClose / REG_DWORD / 0 or 1 / Remove Shut Down option from Start menu. Does not disable Shut Down from Ctrl+Alt+Del menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoDriveAutoRun / REG_DWORD /
Decimal value
/ Determines whether or not the auto-run feature is disabled on the specified drive. ** For implementation rules, review the description for the “NoDrives” row.HKLM\System\CurrentControlSet\Services\Cdrom\Autorun / NoDriveAutoRun / REG_DWORD / 0 or 1 / Determines whether or not the auto-run feature is disabled on the CD-ROM drive.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSaveSettings / REG_DWORD / 0 or 1 / Prevents changes to the positions of icons and open windows and the size/position of the Taskbar from being saved.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoWindowsUpdate / REG_DWORD / 0 or 1 / Determines whether or not users are able to connect to the Windows Update website.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoNetworkConnections / REG_DWORD / 0 or 1 / Prevents Network Neighborhood and Dial-Up Connections from running.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / Intellimenus / REG_DWORD / 0, 1, or 2 / 0 = Enables personalized menus by default, but permits users to change the option.
1 = Disables personalized menus and prevents users from changing the option.
2 = Enables personalized menus, but prevents users from changing the option.
HKCU\Software\Policies\Microsoft\Windows\System / DisableCMD / REG_DWORD / 1 or 2 / 1 = Policy is enabled and set to “Yes”, preventing users from running a command prompt, but the system may still run MS-DOS batch files.
2 = Policy is enables and set to “No”, preventing users from running a command prompt, and the system is unable to run MS-DOS batch files.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoRecentDocsHistory / REG_DWORD / 0 or 1 / Determines whether or not recently opened documents are saved in the Documents item on the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoCommonGroups / REG_DWORD / 0 or 1 / Determines whether or not items in the All Users profile will display in the Start menu (0), or only items from the users profile (1).
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSMHelp / REG_DWORD / 0 or 1 / Removes the Help option on the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSMMyDocs / REG_DWORD / 0 or 1 / Removes the My Documents option from the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network / NoWorkgroupContents / REG_DWORD / 0 or 1 / Network Neighborhood does not display computers in the local workgroup or domain.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network / NoEntireNetwork / REG_DWORD / 0 or 1 / Restricts Network Neighborhood from displaying or accessing computers outside the local workgroup or domain. Users may still use Start/Run, Map/Connect Network Drive, and command prompt to access these network resources.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / LinkResolveIgnoreLinkInfo / REG_DWORD / 0 or 1 / Shortcuts created on a TSE desktop may automatically embed a UNC path as opposed to utilizing a local path. This causes the user who tries to use the shortcut to be prompted for the administrator’s password of the computer that created the link. CCS automated installation sets the value to “1” to force utilization of the local path (i.e. do not use a UNC path). / Yes
Desktop Settings – Only valid if Active Desktop is installed
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoDesktopUpdate / REG_DWORD / 0 or 1 / Prevents placing new shortcuts on the Desktop.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoFolderOptions / REG_DWORD / 0 or 1 / Removes the Folder Options menu item from the Settings menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoFavoritesMenu / REG_DWORD / 0 or 1 / Removes the Favorites folder from the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoRecentDocsMenu / REG_DWORD / 0 or 1 / Removes the Documents folder from the Start menu.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoSetActiveDesktop / REG_DWORD / 0 or 1 / Removes the Active Desktop item from the Settings menu.
System Settings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / DisableTaskMgr / REG_DWORD / 0 or 1 / Prevents Task Manager from running.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / NoDispAppearancePage / REG_DWORD / 0 or 1 / Removes ability to change Desktop colors or color scheme from Control Panel.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / NoDispBackgroundPage / REG_DWORD / 0 or 1 / Removes ability to change wallpaper and background pattern from Control Panel.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / NoDispCPL / REG_DWORD / 0 or 1 / Disable Display applet in Control Panel.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / NoDispScrSavPage / REG_DWORD / 0 or 1 / Removes Screen Saver tab from Display window in Control Panel.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / NoDispSettingsPage / REG_DWORD / 0 or 1 / Removes Settings and Plus tabs from Display window in Control Panel.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / DisableLockWorkstation / REG_DWORD / 0 or 1 / Disables the Lock Workstation button on the Ctrl+Alt+Del security window.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / DisableChangePassword / REG_DWORD / 0 or 1 / Disables the Change Password button on the Ctrl+Alt+Del security window.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoLogoff / REG_DWORD / 0 or 1 / Disables the Logoff button on the Ctrl+Alt+Del security window.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer / NoNTSecurity / REG_DWORD / 0 or 1 / Removes Security item from the Start menu. A security sequence, such as Ctrl+Alt+End will open the Security dialog window in a TSE environment.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / DisableRegistryTools / REG_DWORD / 0 or 1 / Prevents users from running Registry editing tools.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
* * Should also be added to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / RunLogonScriptSync / REG_DWORD / 0 or 1 / Determines whether or not Windows Explorer waits to start until after completion of the logon script(s). Enabling this setting ensures that logon scripts will complete processing before users are allowed to begin their sessions (does not delay the appearance of the Desktop).
Windows Logon Settings
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / AllocateCDRoms / REG_SZ / 0 or 1 / 0 = CD’s in the CD-ROM drive may be accessed by all administrators in the domain.1 = Only the locally logged on user may access CD-ROM drive.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / AllocateFloppies / REG_SZ / 0 or 1 / 0 = Floppy disks in the floppy drive may be accessed by all administrators in the domain.
1 = Only the locally logged on user may access the floppy drive.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / AutoRestartShell / REG_DWORD / 0 or 1 / Determines whether or not the WinNT UI is started automatically if one of its components fails (1), or if the UI must be restarted by logging off and logging on again (0).
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / DcacheMinInterval / REG_DWORD / Range: 120 – 86400 seconds / Specify the amount of time the workstation must be locked in order for the domain list to refresh after unlocking (refreshing the domain list causes a noticeable delay).
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / ProfileDlgTimeOut / REG_DWORD / Specify # of seconds / Determines how long the system waits for a user response to the following events:
· The system cannot access/update a server-based profile at logon or logoff.
· A user’s local profile is newer than the server-based profile.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / RASForce / REG_DWORD / 0 or 1 / Determines whether or not the Logon Using Dial-Up Networking checkbox is cleared (0) or checked (1).
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / SlowLinkDetectEnabled / REG_DWORD / 0 or 1 / Determines whether or not the system detects slow links to server-based profiles (0), or if the user may select a locally cached profile if the timeout period is exceeded (1).
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / SlowLinkTimeOut / REG_DWORD / Range: 2000 – 120000 milliseconds / If a ping exceeds the specified value, the link is considered slow.
* Only used when value of SlowLinkDetectEnabled = 1
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / System / REG_SZ /
Valid .exe file
/ Specifies executable files to be run by Winlogon in the system context (default .exe file is “lsass.exe”).HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / AutoAdminLogon / REG_SZ / 0 or 1 / Specify whether or not to automatically logon.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / DefaultDomainName / REG_SZ / Valid domain name / Specify the domain name to log into.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / DefaultUserName / REG_SZ / Valid user name / Specify a valid user account as per the domain being logged into.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / DefaultPassword / REG_SZ / Password for user name / Specify the password as per the user name.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / DonDisplayLastUserName / REG_SZ / 0 or 1 / Determine whether or not the user name of the last logged in user should display as a default user name in the Logon Information window.
* Should be “0” if AutoAdminLogon is enabled
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / DeleteRoamingCache / REG_DWORD / 0 or 1 / When using roaming profiles, determine whether a copy of the profile is locally cached when the user logs off (0), or whether it is deleted from the machine (1). This will force all sessions to be authenticated upon login, rather than being able to rely on locally cached sessions for authentication. CCS automated installation sets the value to “1”. / Yes
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / KeepRasConnections / REG_SZ / 0 or 1 / Determine whether or not the RAS connection is maintained when logging off Windows NT.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / LegalNoticeCaption / REG_SZ /
String value
/ Specify the caption of a message box that appears upon logon.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / LegalNoticeText / REG_SZ /
String value
/ Specify the text of a message box that appears upon logon. Special characters must be used to specify line feeds and carriage returns, which vary between Windows NT and 2000:Windows NT: Open the value in binary format. Insert “0D00” (no quotes) before the character that starts a new line.
Windows 2000: Open the value in binary format. Insert “0D000A00” (no quotes) before the character that starts a new line.
* Note: So that you do not have to count the number of binary characters that represent the first letter of a line, place a tilde (~) at the beginning of the line. The binary tilde is “7E00”, which may be replaced with the lf/cr special characters.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / LogonPrompt / REG_SZ /
String value
/ Text displays in the Logon Information window as a prompt for entering a valid username and password (default: “Enter a user name and password that is valid for this system.”).HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / Welcome / REG_SZ /
String value
/ Text displays in the title bar beside the title of the Begin Logon, Logon Information, Workstation Locked, and Unlock Workstation windows.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / PasswordExpiryWarning / REG_DWORD /
Number
/ Represents the number of days that the password expiration warning notice is displayed before the password expires.HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / PowerDownAfterShutdown / REG_SZ / 0 or 1 / Specify whether or not the computer automatically powers down after specifying “Shut down” to Windows NT/2000.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / ShutdownWithoutLogon / REG_SZ / 0 or 1 / Specify whether or not the Shutdown button appears on the Logon Information window. If set to “1”, a user may shut down the system without logging on.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon / ReportBootOk / REG_SZ / 0 or 1 / Determine whether the LastKnownGood Control Set is created (1), or if it is not created (0). Works in conjunction with the Registry values associated with the “Last Known Good” startup option located in HKLM\System\Select:
Current: Identifies a control set from the CurrentControlSet sub-key is derived; if this value is “1”, the sub-key producing the CurrentControlSet is ControlSet001.
Default: The default control set; if this value is “1”, the default control set is ControlSet001.
Failed: The control set that was last rejected and replaced with a LastKnownGood control set.
LastKnownGood: The last control set that successfully started the system.
To prevent the “Last Known Good” startup option from appearing as Windows NT is booting, set LetKnownGood and ReportBootOk to “0”.