locked
How to restrict access to computer management console (compmgmt.msc) RRS feed

  • Question

  • Hi all,

    I have set some users to members of local admins on some computers.  Reason : tomcat 5.5 is installed on those computers and users without admin rights cannot start tomcat service. 

    How can I restrict those users from accessing compmgmt.msc ( or all mscs) ? 

    Thanks for your help
    Thursday, April 9, 2009 9:12 AM

Answers

  • Hi,

    You can also create a GPO for those users and configure the following  Group Policy to disable Computer Management Console.

    User Configuration\Local Computer Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted.

    Thanks

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, April 16, 2009 1:09 AM
    Friday, April 10, 2009 3:36 AM
  • Hi,

    As it say here: http://support.microsoft.com/kb/271135/en-us
    To disable that msc, edit the registry and make the subkey HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{58221c67-ea27-11cf-adcf-00aa00a80033} to have value 1.
    Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com
    • Marked as answer by Mervyn Zhang Thursday, April 16, 2009 1:09 AM
    Thursday, April 9, 2009 1:46 PM
  • Do it using GPO.

    Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies


    Click Action  > Create New Policy
    Right Click Additional Rules > Create Hash Rule
    Click the Browse Button
    Navigate to the Executable/Program you want to stop users using.
    Click OK
    Set the Security Level to “Disallowed”
    Click Apply > OK

    Go to the users computer > Start > Run > Cmd > gpupdate /force.

    []`s

    Thiago Pereira | http://thiagoinfrat.spaces.live.com | http://www.winsec.org
    • Marked as answer by Mervyn Zhang Thursday, April 16, 2009 1:09 AM
    Friday, April 10, 2009 1:48 AM

All replies

  • Hi,

    As it say here: http://support.microsoft.com/kb/271135/en-us
    To disable that msc, edit the registry and make the subkey HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{58221c67-ea27-11cf-adcf-00aa00a80033} to have value 1.
    Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com
    • Marked as answer by Mervyn Zhang Thursday, April 16, 2009 1:09 AM
    Thursday, April 9, 2009 1:46 PM
  • Do it using GPO.

    Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies


    Click Action  > Create New Policy
    Right Click Additional Rules > Create Hash Rule
    Click the Browse Button
    Navigate to the Executable/Program you want to stop users using.
    Click OK
    Set the Security Level to “Disallowed”
    Click Apply > OK

    Go to the users computer > Start > Run > Cmd > gpupdate /force.

    []`s

    Thiago Pereira | http://thiagoinfrat.spaces.live.com | http://www.winsec.org
    • Marked as answer by Mervyn Zhang Thursday, April 16, 2009 1:09 AM
    Friday, April 10, 2009 1:48 AM
  • Hi,

    You can also create a GPO for those users and configure the following  Group Policy to disable Computer Management Console.

    User Configuration\Local Computer Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted.

    Thanks

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Thursday, April 16, 2009 1:09 AM
    Friday, April 10, 2009 3:36 AM
  • Hi,

    As it say here: http://support.microsoft.com/kb/271135/en-us
    To disable that msc, edit the registry and make the subkey HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC\{58221c67-ea27-11cf-adcf-00aa00a80033} to have value 1.
    Have a nice day! The Masterplan - MCSE,MCITP-EA http://winmasterplan.blogspot.com
    Hi,
    I am trying to disable "computer Management" from computer. but in registry i didn't find entry MMC under Microsoft.
    Please let me know what to do now.
     
    Friday, April 24, 2009 7:20 PM