Welcome to MSFN

Register now to gain access to all of our features. Once registered and logged in, you will be able to contribute to this site by submitting your own content or replying to existing content. You'll be able to customize your profile, receive reputation points as a reward for submitting content, while also communicating with other members via your own private inbox, plus much more! This message will be removed once you have signed in.


SutherlandAndrew

Disabling Group Policy restrictions through the registry

12 posts in this topic

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------

[Version]

Signature= "$Windows NT$"

[DefaultInstall]

DelReg=DelValues

[DelValues]

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"

HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"

HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"

HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"

HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

0

Share this post


Link to post
Share on other sites

nice tip. Where is the excel file? I'd like to see what the other policies are and where they are in the registry.

0

Share this post


Link to post
Share on other sites
I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

Nice contribution.
0

Share this post


Link to post
Share on other sites

does anyone know where the policy is to disable creation of local users on a workstation?

0

Share this post


Link to post
Share on other sites

Help me!!

I am using this information to disable the task manager, lock computer and change password from certain user accounts. I read in the excel document that I should go to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword

I go as far as "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\", but then I don't know what to do next. What do I need to create to do this? The options I see under the Policies "folder" are "(Default)" and a folder called "Explorer" which has only "(Default)" and "NoDriveTypeAutoRun". So what do I need to add here? Help me please, someone!

UPDATE:

OK, I have everything there, but nothing seems to be happening. I used DWORD values - was that right? Do I need to set their values to 1 or someting like that? Not seeing any effect...

Edited by Idontwantspam
0

Share this post


Link to post
Share on other sites

OK, I've got it down now. I had to create new keys, DWORD values, and set them to "1" (I had them on "0") Now it's all working.

0

Share this post


Link to post
Share on other sites

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------

[Version]

Signature= "$Windows NT$"

[DefaultInstall]

DelReg=DelValues

[DelValues]

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"

HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"

HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"

HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"

HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

0

Share this post


Link to post
Share on other sites

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup

Wow, this is an old post! Brings back memories. Glad you found it useful!

Andrew

0

Share this post


Link to post
Share on other sites

Andrew Sutherland, this is Michele from Italy!

YOU ARE GREAT!! WONDERFULL TWEAK!!! I WAS SEARCHING ON INTERNET SURE IT WAS AN ANGEL WITH THE RIGHT ANSWER. iT'S YOU!

ciao

Note: where do i could download the excel file you are mentioning in the post?

Please, if you want you could send me to -removed-

thaaaaaaaaaaanks

Edited by pat2
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.