none
Disable gpedit.msc and Control Panel\User Accounts using Domain-wide GPO

    Question

  • Hi All,

      We have domain setup of windows server 2012 R2 and windows 8.1 ENT clients. We are planning to restrict the domain users of accessing gpedit.msc and as well as Control Panel\User Accounts\User Accounts via domain-wide group policy. How to do?

      Already we are running USB-R/W deny access Group policy through active directory GPO as user based., so please suggest with same

    Sathishkumar M

    Monday, July 27, 2015 7:51 AM

Answers

  • Look at  User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools

    You can restrict access to whole Control Panel via User Configuration -> Administrative Templates - > Control Panel -> Prohibit access to the Control Panel.

    Also you can hide specific control panel items through User Configuration\Administrative Templates\Control Panel\Hide specified Control Panel items

    See more on https://technet.microsoft.com/en-us/library/ee617167%28v=ws.10%29.aspx



    Monday, July 27, 2015 8:00 AM
  • First, you should know that only administrator accounts can open gpedit.msc by default.
     
    To “restrict the domain users of accessing gpedit.msc”, you can configure below group policy:
     
    User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Object Editor
     
    If you enable this setting, the gpedit.msc snap-in is permitted. If you disable the setting, the snap-in is prohibited.
     
    By the way, the registry entry that this policy setting will change is HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\Restrict_Run
     
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, July 28, 2015 6:44 AM
    Moderator

All replies

  • Look at  User Configuration -> Administrative Templates -> System -> Prevent access to registry editing tools

    You can restrict access to whole Control Panel via User Configuration -> Administrative Templates - > Control Panel -> Prohibit access to the Control Panel.

    Also you can hide specific control panel items through User Configuration\Administrative Templates\Control Panel\Hide specified Control Panel items

    See more on https://technet.microsoft.com/en-us/library/ee617167%28v=ws.10%29.aspx



    Monday, July 27, 2015 8:00 AM
  • First, you should know that only administrator accounts can open gpedit.msc by default.
     
    To “restrict the domain users of accessing gpedit.msc”, you can configure below group policy:
     
    User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Object Editor
     
    If you enable this setting, the gpedit.msc snap-in is permitted. If you disable the setting, the snap-in is prohibited.
     
    By the way, the registry entry that this policy setting will change is HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}\Restrict_Run
     
    Hope this helps.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, July 28, 2015 6:44 AM
    Moderator