none
Cannot Disable DiskMgmt Console

    Question

  • I need to disable diskmgmt.msc on my WS2016 but the group policy setting that is recommended is not working.

    After opening GPEDIT I go to Admin Templates under User Configuration, click on Windows Components, then Microsoft Management Console, then Restricted/Permitted Snap-ins, then Disk Management and change the setting to Disabled.

    I do a GPUPDATE /force and afterwards DiskMgmt.msc opens and displays as usual with all drives, etc. populated. I even rebooted the server and got the same result.

    This is a stand-alone server that is not a domain controller and not under domain control.

    I performed the same excercise on my Win10Pro box and got the same results.

    Please let me know if I'm missing something. Thought this would be easy/simple.

    Thank you, Herb


    Herb

    Friday, May 18, 2018 3:57 PM

All replies

  • Hi,

    Are you a local Administrator on the WS2016? Try with a normal user who isn't in the Local Administrators group on your Windows Server.

    Kind regards,
    Leon


    Blog: https://thesystemcenterblog.com  LinkedIn:   

    Friday, May 18, 2018 5:16 PM
  • Thanks Leon,

    I created a new user that is not a local administrator and is not a member of Administrators on the server. I logged into the new user and did a gpupdate /force but it acts the same way. Diskmgmt opens and lets me do whatever I want.

    In reality, I want to block the local Admin account because, instinctively, that’s what I log into and that’s where I want diskmgmt to be blocked.

    It seems like this should be such an easy thing to do.


    Herb

    Friday, May 18, 2018 6:46 PM
  • Hi,

    I just tested in my lab environment and I got it working for non local administrator users.

    • Make sure you have assigned the GPO to the right OU.
    • Make sure the Security Filtering is for the right Users.

    Here's a link to a troubleshooting guide for Problems Causing Group Policy To Not Apply

    Kind regards,
    Leon


    Blog: https://thesystemcenterblog.com  LinkedIn:   


    • Edited by Leon Laude Friday, May 18, 2018 6:49 PM typos
    Friday, May 18, 2018 6:49 PM
  • I'm not an expert with GPO (by far) but this computer is not under a domain and is not a DC so it's just using Local Computer Policy. Again, I want to prevent the local Administrator account from doing this because that's what I will typically log into. It seems like this is something that I should be able to do.


    Herb

    Friday, May 18, 2018 7:54 PM
  • Hi,

    There's the option to disable Local Users and Groups, this should work for your local administrators but then it will also restrict for the users.


    Here's a guide on how to apply local group policies to non-administrators or specific users:
    https://www.top-password.com/blog/apply-local-group-policy-to-non-administrators-in-windows-10/

    Kind regards,
    Leon


    Blog: https://thesystemcenterblog.com  LinkedIn:   

    Friday, May 18, 2018 8:39 PM
  • Thanks for the effort Leon, it looks like this suggestion simply prevents opening of the local users/groups console where you would add or edit local users and groups. That's not going to accomplish my goal of preventing diskmgmt.msc from launching.

    That's all I want to do. I just don't want the disk management console to be able to launch... period.

    It seems like the first thing I tried should work. I'm able to select that console and then mark it as disabled. Why is that not working? The description for that policy doesn't say anything about it not being enforced on the local admin account. So I assume that it will apply to any/all accounts on the server.

    It seems to me like this is a bug in group policy.


    Herb

    Friday, May 18, 2018 9:02 PM