Disabling Group Policy restrictions through the registry

#1 SutherlandAndrew

Group: Members
Posts: 5
Joined: 26-October 06

Posted 26 October 2006 - 10:28 AM

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------
[Version]
Signature= "$Windows NT$"

[DefaultInstall]
DelReg=DelValues

[DelValues]
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"
HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"
HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"
HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"
HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"
HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site

-if this is the wrong forum location, can someone pls move it for me. thanks!
Andrew

#2 swammer

Newbie

Group: Members
Posts: 18
Joined: 20-July 05

Posted 27 October 2006 - 11:34 AM

nice tip. Where is the excel file? I'd like to see what the other policies are and where they are in the registry.

#3 r3incarnat0r

VB.NET n00b

Group: Members
Posts: 151
Joined: 07-March 06
OS:none specified

Posted 27 October 2006 - 04:43 PM

Download the file here.

It is too big to attach.

#4 Plamdi

Junior

Group: Members
Posts: 82
Joined: 22-March 06

Posted 28 October 2006 - 09:44 PM

SutherlandAndrew, on Oct 27 2006, 03:28 AM, said:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site

-if this is the wrong forum location, can someone pls move it for me. thanks!
Andrew

Nice contribution.

#5 swammer

Newbie

Group: Members
Posts: 18
Joined: 20-July 05

Posted 30 October 2006 - 09:25 AM

does anyone know where the policy is to disable creation of local users on a workstation?

#6 SutherlandAndrew

Group: Members
Posts: 5
Joined: 26-October 06

Posted 29 November 2006 - 02:01 PM

swammer, on Oct 30 2006, 10:25 AM, said:

does anyone know where the policy is to disable creation of local users on a workstation?

http://www.microsoft.com/technet/prodtechn...9.mspx?mfr=true

#7 Idontwantspam

Nerd-in-Chief

Group: Members
Posts: 1,063
Joined: 25-February 07

Posted 20 March 2007 - 06:27 PM

Help me!!

I am using this information to disable the task manager, lock computer and change password from certain user accounts. I read in the excel document that I should go to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword

I go as far as "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\", but then I don't know what to do next. What do I need to create to do this? The options I see under the Policies "folder" are "(Default)" and a folder called "Explorer" which has only "(Default)" and "NoDriveTypeAutoRun". So what do I need to add here? Help me please, someone!

UPDATE:

OK, I have everything there, but nothing seems to be happening. I used DWORD values - was that right? Do I need to set their values to 1 or someting like that? Not seeing any effect...

This post has been edited by Idontwantspam: 21 March 2007 - 10:39 PM

#8 Idontwantspam

Nerd-in-Chief

Group: Members
Posts: 1,063
Joined: 25-February 07

Posted 22 March 2007 - 04:26 PM

OK, I've got it down now. I had to create new keys, DWORD values, and set them to "1" (I had them on "0") Now it's all working.

#9 ShesABMJ

Group: Members
Posts: 1
Joined: 22-October 10
OS:none specified
Country:

Posted 22 October 2010 - 03:51 PM

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup

SutherlandAndrew, on 26 October 2006 - 10:28 AM, said:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site

-if this is the wrong forum location, can someone pls move it for me. thanks!
Andrew

#10 SutherlandAndrew

Group: Members
Posts: 5
Joined: 26-October 06

Posted 22 October 2010 - 03:57 PM

ShesABMJ, on 22 October 2010 - 03:51 PM, said:

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup

Wow, this is an old post! Brings back memories. Glad you found it useful!

Andrew

#11 pat2

Group: Members
Posts: 1
Joined: 12-May 13
OS:Windows 7 x64
Country:

Posted 12 May 2013 - 03:01 AM

Andrew Sutherland, this is Michele from Italy!

YOU ARE GREAT!! WONDERFULL TWEAK!!! I WAS SEARCHING ON INTERNET SURE IT WAS AN ANGEL WITH THE RIGHT ANSWER. iT'S YOU!

ciao

Note: where do i could download the excel file you are mentioning in the post?
Please, if you want you could send me to -removed-

thaaaaaaaaaaanks

This post has been edited by pat2: 13 May 2013 - 12:48 PM

#12 submix8c

Inconceivable!

Group: Patrons
Posts: 3,247
Joined: 14-September 05
OS:none specified
Country:

Posted 12 May 2013 - 01:39 PM

Google

xp "group policies" xls

Please remove your email address...

A Group Policy Primer -
http://www.dedoimedo...s/policies.html

More Info -
http://support.microsoft.com/kb/307882

Side note - GPEDIT.MSC is not on XP Home Edition. Can be "transplanted" onto XP Home.

MSFN Forum: Disabling Group Policy restrictions through the registry - MSFN Forum