Creating Desktop Shortcuts using Group Policy (GPO)

Using Group Policies, you can create a shortcut to a specific application and deploy it to the desktops of all users in the domain (or to specific users only). This article shows how to use Group Policy Preferences (GPP) to create shortcuts on users’ desktops.

Group Policy Preferences can be used to create a shortcut to a locally installed app, an executable on a shared folder (via UNC path), a URL, or a Control Panel item.

Create a Desktop Shortcut for All Users Using GPO

Suppose your task is to create a shortcut on all domain users’ desktops pointing to an application executable stored in a shared network folder (a portable app that doesn’t require installation).

In our example, the UNC path to the executable looks like this \\fs01\TCPView\tcpview.exe. Check that the NTFS permissions on the folder allow at least Read+Execute for Authenticated Users or Users.

1. Open the Group Policy Management console (gpmc.msc), right-click an AD container (Organizational Unit) you want to apply a shortcut creation policy to and create a new policy (a GPO object) named CreateShortcut;
2. Right-click on the created policy and select Edit;
3. Go to the Group Policy Preferences section: User Configuration –> Preferences -> Windows Settings -> Shortcuts. Right-click and select New -> Shortcut;
4. Create a new shortcut item with the following settings:
   

   Name: TCPView (shortcut display name)

   Target Type: File System Object (this can also be a URL or a Shell object item.)

   Location: Desktop (create a shortcut on the current user’s desktop) Here you can specify one of the 15 built-in shortcut locations. For example, Start Menu, Startup, All Users Desktops, etc.

   Target Path: \\fs01\TCPView\tcpview.exe (the full path to the file (object) to which you want to create a shortcut)

   Arguments: if required, you can specify additional arguments to run the app.

   Icon file path: a path to the shortcut icon. Use your custom ICO file or a standard library of common Windows icons. (%SystemRoot%\System32\SHELL32.dll). The icon number must be specified in the Icon Index field if multiple icons are in the file.

5. Various environment variables can be used in the target object path. For example, %WindowsDir%\cmd.exe, %ProgramFilesDir%\myapp\woshub.exe, %ProgramFiles(x86)%\woshub.exe. Press F3 in the shortcut configuration dialogue in GPP to display a full list of available environment variables.
6. If you want to create the shortcut on the current user’s desktop (Location = Desktop), check the Run in logged-on user’s security context (user policy option) on the Common tab;
7. If you want to create an app shortcut in the Public user profile (for all computer users), set Location = All User Desktop (uncheck the “Run in logged-on user’s security context” option since non-admin users do not have the permissions to make changes to the Public profile);
8. Save the changes. Note that the Desktop (%DesktopDir%) and All User Desktop (%CommonDesktopDir%) environment variables are displayed in the shortcut paths in the GPO console (the %CommonDesktopDir% variable is deprecated and it is recommended to use the %Public%\Desktop instead)
9. If you specify a network UNC path to a shortcut icon file (*.ico) in the policy settings, be sure to enable the GPO option Allow the use of remote paths in file shortcut icons in Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer. Without this option, the shortcut icon will not be displayed (instead of an image, you will see a blank white icon). 
10. Update policy settings on client computers (gpupdate /force or by logoff/logon).
    If you have linked a GPO to an Organizational Unit that contains computer objects (instead of users), enable the GPO loopback option. Set Configure user Group Policy loopback processing mode =  Merge in Computer Configuration -> Policies -> Administrative Templates -> System -> Group Policy.
11. Once the policies have been updated, a new shortcut should appear on the user’s desktop.

If the desktop shortcut does not appear on a client, check the Group Policy logs in the Event Viewer snap-in (eventvwr.msc). Go to the Applications log and filter events by the Group Policy Shortcuts source.

In my case, the error indicates that the shortcut could not be created because the path to the source file is incorrect:

The user 'TCPView' preference item in the 'CreateAppShortcuts' Group Policy Object did not apply because it failed with error code '0x80070002 The system cannot find the file specified.' This error was suppressed.

Use Group Policy to Add a Desktop Shortcut for Target Users Only

If you want to create a Group Policy that only creates shortcuts on the desktops of specific users, use the item-level targeting in GPP.

1. Create a security group in the AD domain and add all the users to whom you want the shortcut creation policy to apply.
2. Open the shortcut properties in the Group Policy editor, go to the Common tab, enable the Item-level targeting option, and click the Targeting button
3. Select New Item -> Security Group and specify the domain group name. This policy will only create the app shortcut for users added to the specified Active Directory security group

A single GPO can contain multiple shortcut creation rules for different users, groups, computers, or OUs (see screenshot). For example:

• Shortcut to a shared network folder (Can be used instead of a network drive mapped via GPO)
• Shortcut to RDP file containing RDS farm connection settings
• LogOut shortcut used to quickly end a user’s session (with  logoff.exe or shutdown.exe /l command)