Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Disabling Group Policy restrictions through the registry

- - - - -

  • Please log in to reply
11 replies to this topic

#1
SutherlandAndrew

SutherlandAndrew
  • Member
  • 5 posts
  • Joined 26-October 06
I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------
[Version]
Signature= "$Windows NT$"

[DefaultInstall]
DelReg=DelValues

[DelValues]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"
HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"
HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"
HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"
HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!
Andrew


How to remove advertisement from MSFN

#2
swammer

swammer

    Newbie

  • Member
  • 18 posts
  • Joined 20-July 05
nice tip. Where is the excel file? I'd like to see what the other policies are and where they are in the registry.

#3
r3incarnat0r

r3incarnat0r

    VB.NET n00b

  • Member
  • PipPip
  • 151 posts
  • Joined 07-March 06
  • OS:none specified
  • Country: Country Flag
Download the file here.

It is too big to attach. :)
Si vis pacem, para bellum.

#4
Plamdi

Plamdi

    Junior

  • Member
  • Pip
  • 82 posts
  • Joined 22-March 06

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!
Andrew

Nice contribution.

#5
swammer

swammer

    Newbie

  • Member
  • 18 posts
  • Joined 20-July 05
does anyone know where the policy is to disable creation of local users on a workstation?

#6
SutherlandAndrew

SutherlandAndrew
  • Member
  • 5 posts
  • Joined 26-October 06

does anyone know where the policy is to disable creation of local users on a workstation?


http://www.microsoft...9.mspx?mfr=true :)

#7
Idontwantspam

Idontwantspam

    Nerd-in-Chief

  • Member
  • PipPipPipPipPipPip
  • 1,063 posts
  • Joined 25-February 07
Help me!!

I am using this information to disable the task manager, lock computer and change password from certain user accounts. I read in the excel document that I should go to:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword

I go as far as "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\", but then I don't know what to do next. What do I need to create to do this? The options I see under the Policies "folder" are "(Default)" and a folder called "Explorer" which has only "(Default)" and "NoDriveTypeAutoRun". So what do I need to add here? Help me please, someone!

UPDATE:

OK, I have everything there, but nothing seems to be happening. I used DWORD values - was that right? Do I need to set their values to 1 or someting like that? Not seeing any effect...

Edited by Idontwantspam, 21 March 2007 - 10:39 PM.

-Idontwantspam

What's your home network like?
Windows 7: It does fancy!

#8
Idontwantspam

Idontwantspam

    Nerd-in-Chief

  • Member
  • PipPipPipPipPipPip
  • 1,063 posts
  • Joined 25-February 07
OK, I've got it down now. I had to create new keys, DWORD values, and set them to "1" (I had them on "0") Now it's all working.
-Idontwantspam

What's your home network like?
Windows 7: It does fancy!

#9
ShesABMJ

ShesABMJ
  • Member
  • 1 posts
  • Joined 22-October 10
  • OS:none specified
  • Country: Country Flag
This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup




I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------
[Version]
Signature= "$Windows NT$"

[DefaultInstall]
DelReg=DelValues

[DelValues]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"
HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"
HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"
HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"
HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!
Andrew



#10
SutherlandAndrew

SutherlandAndrew
  • Member
  • 5 posts
  • Joined 26-October 06

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup


Wow, this is an old post! Brings back memories. Glad you found it useful!

Andrew

#11
pat2

pat2
  • Member
  • 1 posts
  • Joined 12-May 13
  • OS:Windows 7 x64
  • Country: Country Flag
Andrew Sutherland, this is Michele from Italy!

YOU ARE GREAT!! WONDERFULL TWEAK!!! I WAS SEARCHING ON INTERNET SURE IT WAS AN ANGEL WITH THE RIGHT ANSWER. iT'S YOU!

ciao

Note: where do i could download the excel file you are mentioning in the post?
Please, if you want you could send me to -removed-

thaaaaaaaaaaanks

Edited by pat2, 13 May 2013 - 12:48 PM.


#12
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,379 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag
Google
xp "group policies" xls
Please remove your email address...

A Group Policy Primer -
http://www.dedoimedo...s/policies.html

More Info -
http://support.microsoft.com/kb/307882

Side note - GPEDIT.MSC is not on XP Home Edition. Can be "transplanted" onto XP Home.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users