Here's what we use to control the windows 8 start menu layout..
c:\windows\system32\attrib.exe "c:\Users\Default\AppData\Local\Microsoft\Windows\ appsFolder.itemdata-ms" -R
echo f | xcopy "\\server\netlogon\start menus\Pinned_Items\appsFolder.itemdata-ms" "c:\Users\Default\AppData\Local\Microsoft\Windows\ appsFolder.itemdata-ms" /D /Y
c:\windows\system32\attrib.exe "c:\Users\Default\AppData\Local\Microsoft\Windows\ appsFolder.itemdata-ms" +R
administrive templates -> start menu and taskbar -> Remove drag-and-drop and context menus on the Start Menu
user registry entry:
key path - HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
name - Allow start menu updating
type - REG_SZ
data - c:\windows\system32\attrib.exe "%USERPROFILE%\appdata\local\microsoft\windows\app sfolder.itemdata-ms" -R
copy "\\server\netlogon\start menus\Pinned_Items\appsFolder.itemdata-ms" "%userprofile%\AppData\Local\Microsoft\Windows\app sFolder.itemdata-ms" /Y
Now i shall explain it all.
The startup block copies the network version of your start menu layout to the "default user" in windows. This means that any newly created profiles will get this layout applied. The issue is that windows always replaces this file when it creates a new user, so you have to set the file as read only to prevent this. That is why the startup block removes the read only, updates the file, then marks it as read only again. Note: if you have not run this command then you will not see the file as it does not exist by default.
The user GPO setting is what prevents the user from being able to edit the layout, however it also means no "run as administrator" option on the start menu. If you want to prevent the start menu background being changed, i believe you have to disable control panel access.
The registry setting removes the read only setting from the copy of the file within the users profile (as when windows copies the file over, the permissions are maintained), allowing you to maintain the layout via the following login script.
The login script copies the current layout to users profiles so they always have the up to date version on login.
To create/update the layout you just have a test computer in an OU with the "Remove drag-and-drop and context menus on the Start Menu" setting disabled so you can edit the layout. Then you just log off, browse to the user profile of the account you used and copy the file from the profile to your network location.
Also, incase any of you using roaming profiles have noticed that the file is stored in the "local" folder, windows copies it to the roaming folder on logoff and then back again on logon.