Jump to content

Restricting user accounts with registry-based group policies

Idontwantspam

By Idontwantspam
in Windows XP

 Share

Recommended Posts

Idontwantspam

Idontwantspam

Posted
Posted (edited)

It seems that someone on this forum, myself included, is always asking how to restrict users on their computer without restricting their own accounts. Doing this can be very beneficial since you might not want your younger brother editing the registry, but you need to be able to. The Group Policy Editor (gpedit.msc) that is built into windows cannot make changes to an individual user or group; changes made there affect ALL users of the computer. However, many restrictions are stored in the registry, and can be applied to only one user. This tutorial will teach you what I have learned about restricting individual users. Note that this is not for domain users - you can use group policy with active directory to apply policies to OUs, which I'm not going to discuss here.

_________________________________________________________

For those who already know the general ideas behind group policy and the like, skip ahead to the next section. If you're new to this, keep reading.

Group Policy is a Microsoft technology to apply settings to groups of users. Originally, it was used in Windows NT domains, and was very limited in what it could do. When Active Directory was introduced with windows 2000, Group Policy got a major update, with hundreds of settings. Instead of the old interface, group policy was now a part of the Microsoft management console. Group Policy was designed to be used on an AD domain, but could also be applied locally. In an AD setting, policies could be applied to groups or OUs. Users of computers not on a domain could still use the group policy object editor, gpedit.msc, to edit policies locally, but they could only be applied to the entire computer, and thus all users on the computer would get the same settings. Since most settings served to restrict things, this was bad news for users who wanted to restrict some but not all users of the computer. Group policy in Windows XP and Windows Server 2003 is very similar to how it is in Windows 2000, with only some minor differences and the addition of some new policies. Despite the fact that policies could only be set for all users, there is a way around this. Many user settings are stored in the registry. When settings are made using gpedit that effect the entire machine, the changes are either applied to the HKLM key or to the HKCU key of every single user. However, it is possible to make these same exact changes to an individual user's registry hive. This is the method I will be using.

_________________________________________________________

There are two ways to apply policies to only a certain user. Both methods require editing the registry, so if you aren't familiar with registry editing yet, you might want to learn a little more about that first. Try reading KB256986 to start with.

icon13.gifWARNING!

If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

_________________________________________________________

OK, now that you've been warned, let's go on.

So, the two methods. The first method, which is easier at first but in reality the less preferable of the two is to log on as the user you wish to restrict, and edit HKCU for that user. However, regular users do not have write-access to the policies key, so you'll have to temporarily make the user a member of the administrators group in order to do this. Also, to log on as the user, you need to know their password. So, this is not the preferable method.

The better way of doing things is to load the users profile. This must be done from an account with administrative privileges. What you will do is basically open the user's profile as a registry hive and edit it from there without ever having to log in.

To load a user's profile:

  • First log on as an admin and open regedit.exe.
  • Now, click on HKEY_USERS, then go to the file menu and click "Load Hive".
  • Browse to that user's profile. This will usually be C:/Documents and Settings/<username>/
  • Now, double-click on ntuser.dat.
  • Name the hive "restrict_1", without quotes. You could theoretically name it anything you want, but my examples will use restrict_1 as the name.
  • Click OK

The user's profile should now be loaded. Note that you should NEVER do this when that user is logged on (if you have user switching enabled, which I don't recommend).

post-128497-1193444757_thumb.png

post-128497-1193444753_thumb.png

_________________________________________________________

Once the user's hive has been loaded, it's time to start working. Navigate to the following key, since this is where you'll be doing most of your work:

HKU\restrict_1\Software\Microsoft\Windows\CurrentVersion\Policies

Once you're there, you might need to create some new subkeys. If Explorer, System or Network aren't there, go ahead and add them. Right-click on "Policies" and choose New > Key.

post-128497-1193444761_thumb.png

And name it as directed.

_________________________________________________________

Once you've got all this set up, you need to decide what you want to restrict. The following excel worksheet will be immensely helpful. It contains all the group policies you can set through the registry, whether they're machine or user settings, which operating systems they apply to, and, wonderfully, where in the registry to make the change.

Here is the link to the file. Requires Microsoft Excel or Excel Viewer. Might be open office compatible, I don't know.

download

_________________________________________________________

For most of these, here's the procedure for settings the policy:

  • Navigate to the specified path. This will typically be given as HKCU\something. You will want to go to the hive you loaded instead. Generally these changes should be made in 
    HKU\restrict_1\Software\Microsoft\Windows\CurrentVersion\Policies


    or occasionally in 

    HKU\restrict_1\Policies\Microsoft\Windows.


  • Most settings are stored as a DWORD value. Open the proper key, and right-click. Choose New > DWORD Value.
  • Name the DWORD value according to the info in the spreadsheet. For example, to restrict access to registry tools, the info in the spreadsheet says:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableRegistryTools
    So, you would go to HKU\restrict_1\Software\Microsoft\Windows\CurrentVersion\Policies\System and create a new DWORD value named DisableRegistryTools.
  • Set the value of the DWORD to 1 for policy enabled and 0 for policy disabled.

post-128497-1193445389_thumb.png

_________________________________________________________

After making the desired changes,

icon13.gifMAKE SURE TO UNLOAD THE USER'S REGISTRY HIVE! THIS IS CRITICAL

If you don't unload the user's hive, then when they attempt to log on, they will get the following error:

PUT IMAGE 5 HERE!

And once they log on, not only will your new settings not take effect - all of their settings stored in their registry profile will not be there either. It's not a good thing at ALL. So, make sure to unload the hive. It's very simple - click on the uppermost key of the hive - in my example, restrict_1 - and go File > Unload hive. Confirm the action. Then close the registry editor, log off, and log on as the restricted user. You should see all of the new settings now.

post-128497-1193445726_thumb.png

_________________________________________________________

_________________________________________________________

At some point, I'll upload some examples of common things to restrict, and .reg files to accompany them, but this is "it" for now. I hope this is helpful to people! As usual, if there's any questions, or if anyone has any constructive criticism/ways to improve this tutorial, bring it on!

B)

Edited by Idontwantspam
  • 2 weeks later...

Idontwantspam

Idontwantspam

Posted
  • Author
Posted

Next up, I'm going to add some common things to restrict, as well as registry files to do so.

These will be in the following format:

Policy name

Description

registry location

registry entry to make

  • Enable policy:
  • Disable Policy:

.reg file

For the registry location, it will simply start with \(location) and will not specify which HKEY to use. You can use either HKCU for the current user or HKU\hivename for a loaded profile.

_________________________________________________________

Prevent access to the command prompt

Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.

\Software\Policies\Microsoft\Windows\System

DWORD value = DisableCMD

  • Disable policy: 0
  • Enable policy - batch files allowed: 1
  • Enable policy - no batch files: 2

_________________________________________________________

I have to go, but I'll add more later.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...