none
Stop user access to control panel RRS feed

  • Question

  • I've come across students who are copying the control panel shortcuts from somewhere onto a second drive on domain computers.

    If they click on one of the copied shortcuts it opens up the corresponding control panel applet. Very annoying.

    Even though the only access they have to control panel is through mobsync, copied shortcuts ignore the group policy as the policy says "hide", not "stop".

    Is there a way to stop users accessing control panel applets, except for the approved one?

    Sunday, April 7, 2013 6:13 AM

Answers

  • Reading this I think you are best off restricting access to the control panel items you do not want them to use.

    First the list with the programs behind the links:

    Add Hardware - Wizard hdwwiz.cpl
    Administrative Tools - control admintools
    Advanced System Properties ?
    Advanced tab System - PropertiesAdvanced.exe
    Computer Name - tab sysdm.cpl or SystemPropertiesComputerName.exe
    Prevention tab - SystemPropertiesDataExecutionPrevention.exe
    Hardware tab - SystemPropertiesHardware.exe
    System Protection tab - SystemPropertiesProtection.exe
    Remote tab - SystemPropertiesRemote.exe
    AutoPlay control /name - Microsoft.AutoPlay
    Backup and Restore Center control /name - Microsoft.BackupAndRestoreCenter
    Backup Status and Configuration - sdclt.exe
    BitLocker Drive Encryption control /name - Microsoft.BitLockerDriveEncryption
    Bluetooth Devices - bthprops.cpl
    Date And Time - timedate.cpl or control date/time
    Display Settings - desk.cpl
    Default Programs control /name - Microsoft.DefaultPrograms
    Device Manager - devmgmt.msc
    Disk Manager - diskmgmt.msc
    Ease of Access Center - access.cpl or Utilman.exe
    Game Controllers -  joy.cpl
    Indexing Options control /name - Microsoft.IndexingOptions
    Internet Options - inetcpl.cpl
    Keyboard Properties - control keyboard
    Mouse Properties - main.cpl or control mouse
    Network and Sharing Center control /name - Microsoft.NetworkandSharingCenter
    Network Connections - ncpa.cpl or control netconnections
    Offline Files control /name - Microsoft.OfflineFiles
    Parental Controls control /name - Microsoft.ParentalControls
    Pen and Input - Devices TabletPC.cpl
    People Near Me - collab.cpl or p2phost.exe
    Phone and Modem Options - telephon.cpl or control telephony
    Power Options - powercfg.cpl
    Printers control - printers
    Problem Reports and Solutions - wercon.exe
    Programs and Features - appwiz.cpl
    Regional and Language Options - intl.cpl or control international
    Scanners and Cameras - sticpl.cpl
    Secure Online Key Backup control /name - Microsoft.SecureKeyBackup
    Security Center - wscui.cpl
    Sound - mmsys.cpl
    Speech Recognition Options control /name - Microsoft.SpeechRecognitionOptions
    Sync Center - mobsync.exe
    System control /name - Microsoft.System
    Tablet PC Settings control /name - Microsoft.TabletPCSettings
    Task Scheduler control - schedtasks
    Text to Speech - sapi.cpl or control speech
    User Accounts - nusrmgr.cpl or Netplwiz.exe or control userpasswords
    User Accounts (advanced) - control userpasswords2
    Volume Mixer - SndVol.exe
    Welcome Center control.exe /name - Microsoft.WelcomeCenter
    Windows Defender - MsAsCui.exe
    Windows Firewall - Firewall.cpl or FirewallControlPanel.exe
    Windows Firewall Settings - FirewallSettings.exe
    Windows Sidebar Properties - control.exe /name Microsoft.WindowsSidebarProperties
    Windows SideShow - control.exe /name Microsoft.WindowsSideshow
    Windows Update - control.exe /name Microsoft.WindowsUpdate

    Now you could for example put rights on the plethora and exclude those they should not access. Other option is for example applocker: http://www.techtipsgeek.com/use-applocker-windows-7-restrict-access-programs/7241/.

    Cheers,


    /Luge


    Monday, April 8, 2013 12:43 PM

All replies

  • Hi,

    Please create GPO on user level configuration and follow the below steps.

    Create a new DWORD value, or modify the existing value called 'NoControlPanel' set the value to equal '1' to enable the restriction.

    Exit your registry, you may need to restart for the changes to take effect.

    Registry Editor Example
    | Name Type Data |
    | (Default) REG_SZ (value not set) |
    | NoControlPanel REG_DWORD 0x00000001 (1) |
    -
    | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\... |
    -
    Registry Settings
    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer]
    System Key: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer]
    Value Name: NoControlPanel
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = disable restriction, 1 = enable restriction)

    MD Disclaimer: The opinion expressed herein are my own knowledge. Deploy this at your own risk. Whenever you see a helpful reply, just click on “Propose As Answer” / “Marked As Answer” and please do "VOTE".

    Sunday, April 7, 2013 7:33 AM
  • Are there specific applets you want to stop them accessing?  You can use a GPO to lock down some settings, such as Display, Add/Remove Programs, Printers, etc.  Look in:

    User Configuration -> Policies -> Administrative Templates -> Control Panel

    You could, for example, Disable the Display Control Panel to stop them changing the screen resolution, or prevent changing of colour scheme, or prevent changing regional settings.

    Or there is the 'Prohibit access to the Control Panel' setting that will restrict all Control Panel applets.

    Sunday, April 7, 2013 7:40 AM
  • Thanks for the ideas.

    Unfortunately completely disabling access to control panel isn't appropriate as I want them to be able to resolve offline file conflicts themselves.

    This relies on access to control panel.

    Other options merely hide the control panel buttons, and as I originally explained, they bring their own.

    I'm experimenting with merging computer configuration settings which may be a bit more hard nosed than user settings.

    Sunday, April 7, 2013 10:57 PM
  • Matt,

    What Windows version(s) are these systems? Concerning the control panel items they run via shortcut: do you ever want to allow them run those same control panel tools under any circumstances? And which particular control panel items do you wish to disallow?

    Sorry about the shotgun questions, but there are a few solutions I've used to 'nibble' away this general type of problem in the past; which (if any) would be appropriate for you depend on the details, though.

    Monday, April 8, 2013 2:55 AM
  • I think its reasonable they can resolve offline file issues, so mobsync.

    Add printers, so devices and printers.

    Change which wireless network they connect to, and as they are 1;1 devices and go home, add their home wireless network.I can't see a reason that they need to change display settings, so access to that isn't needed.

    Other items I definitely want them out of.

    Monday, April 8, 2013 4:00 AM
  • Oops - you forgot to mention the Windows version or versions. I know, it's late. ;)

    This is going to be a divide-and-conquer problem requiring action for each control panel item, but the specific I've had to try vary depending on Windows version.


    Monday, April 8, 2013 5:43 AM
  • Oops - you forgot to mention the Windows version or versions. I know, it's late. ;)

    This is going to be a divide-and-conquer problem requiring action for each control panel item, but the specific I've had to try vary depending on Windows version.


    Win7 x64

    I'm pleased you are seeing it as more complex than a simple GPO

    Monday, April 8, 2013 10:27 AM
  • Reading this I think you are best off restricting access to the control panel items you do not want them to use.

    First the list with the programs behind the links:

    Add Hardware - Wizard hdwwiz.cpl
    Administrative Tools - control admintools
    Advanced System Properties ?
    Advanced tab System - PropertiesAdvanced.exe
    Computer Name - tab sysdm.cpl or SystemPropertiesComputerName.exe
    Prevention tab - SystemPropertiesDataExecutionPrevention.exe
    Hardware tab - SystemPropertiesHardware.exe
    System Protection tab - SystemPropertiesProtection.exe
    Remote tab - SystemPropertiesRemote.exe
    AutoPlay control /name - Microsoft.AutoPlay
    Backup and Restore Center control /name - Microsoft.BackupAndRestoreCenter
    Backup Status and Configuration - sdclt.exe
    BitLocker Drive Encryption control /name - Microsoft.BitLockerDriveEncryption
    Bluetooth Devices - bthprops.cpl
    Date And Time - timedate.cpl or control date/time
    Display Settings - desk.cpl
    Default Programs control /name - Microsoft.DefaultPrograms
    Device Manager - devmgmt.msc
    Disk Manager - diskmgmt.msc
    Ease of Access Center - access.cpl or Utilman.exe
    Game Controllers -  joy.cpl
    Indexing Options control /name - Microsoft.IndexingOptions
    Internet Options - inetcpl.cpl
    Keyboard Properties - control keyboard
    Mouse Properties - main.cpl or control mouse
    Network and Sharing Center control /name - Microsoft.NetworkandSharingCenter
    Network Connections - ncpa.cpl or control netconnections
    Offline Files control /name - Microsoft.OfflineFiles
    Parental Controls control /name - Microsoft.ParentalControls
    Pen and Input - Devices TabletPC.cpl
    People Near Me - collab.cpl or p2phost.exe
    Phone and Modem Options - telephon.cpl or control telephony
    Power Options - powercfg.cpl
    Printers control - printers
    Problem Reports and Solutions - wercon.exe
    Programs and Features - appwiz.cpl
    Regional and Language Options - intl.cpl or control international
    Scanners and Cameras - sticpl.cpl
    Secure Online Key Backup control /name - Microsoft.SecureKeyBackup
    Security Center - wscui.cpl
    Sound - mmsys.cpl
    Speech Recognition Options control /name - Microsoft.SpeechRecognitionOptions
    Sync Center - mobsync.exe
    System control /name - Microsoft.System
    Tablet PC Settings control /name - Microsoft.TabletPCSettings
    Task Scheduler control - schedtasks
    Text to Speech - sapi.cpl or control speech
    User Accounts - nusrmgr.cpl or Netplwiz.exe or control userpasswords
    User Accounts (advanced) - control userpasswords2
    Volume Mixer - SndVol.exe
    Welcome Center control.exe /name - Microsoft.WelcomeCenter
    Windows Defender - MsAsCui.exe
    Windows Firewall - Firewall.cpl or FirewallControlPanel.exe
    Windows Firewall Settings - FirewallSettings.exe
    Windows Sidebar Properties - control.exe /name Microsoft.WindowsSidebarProperties
    Windows SideShow - control.exe /name Microsoft.WindowsSideshow
    Windows Update - control.exe /name Microsoft.WindowsUpdate

    Now you could for example put rights on the plethora and exclude those they should not access. Other option is for example applocker: http://www.techtipsgeek.com/use-applocker-windows-7-restrict-access-programs/7241/.

    Cheers,


    /Luge


    Monday, April 8, 2013 12:43 PM
  • Great! Luc has a complete list.

    The tricky part here is that you need to deny users rights to  most of that list, on each and every machine, either via script (probably centered on cacls.exe) or by constructing a custom security template. Have you worked with either before?

    Tuesday, April 9, 2013 6:58 AM
  • Thanks Luk, I got distracted and only just dropped back in. I appreciate the completeness of your answer
    Saturday, May 11, 2013 10:17 AM
  • No, havent worked with either. I was thinking using a registry collection wizard in GPP. I'll see what I can find using google and the words defined. Thanks
    Saturday, May 11, 2013 10:20 AM
  • I appreciate your reply (update) back Matt.

    Cheers,

    Luc


    /Luge

    Monday, May 13, 2013 7:09 AM