Jump to content

Disabling Group Policy restrictions through the registry

SutherlandAndrew
 Share

Recommended Posts

SutherlandAndrew

SutherlandAndrew

Posted
Posted

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------

[Version]

Signature= "$Windows NT$"

[DefaultInstall]

DelReg=DelValues

[DelValues]

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"

HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"

HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"

HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"

HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew


Plamdi

Plamdi

Posted
Posted
I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

Nice contribution.
  • 5 weeks later...
  • 3 months later...
Idontwantspam

Idontwantspam

Posted
Posted (edited)

Help me!!

I am using this information to disable the task manager, lock computer and change password from certain user accounts. I read in the excel document that I should go to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword

I go as far as "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\", but then I don't know what to do next. What do I need to create to do this? The options I see under the Policies "folder" are "(Default)" and a folder called "Explorer" which has only "(Default)" and "NoDriveTypeAutoRun". So what do I need to add here? Help me please, someone!

UPDATE:

OK, I have everything there, but nothing seems to be happening. I used DWORD values - was that right? Do I need to set their values to 1 or someting like that? Not seeing any effect...

Edited by Idontwantspam
  • 3 years later...
ShesABMJ

ShesABMJ

Posted
Posted

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------

[Version]

Signature= "$Windows NT$"

[DefaultInstall]

DelReg=DelValues

[DelValues]

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"

HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"

HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"

HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"

HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

  • 2 years later...
pat2

pat2

Posted
Posted (edited)

Andrew Sutherland, this is Michele from Italy!

YOU ARE GREAT!! WONDERFULL TWEAK!!! I WAS SEARCHING ON INTERNET SURE IT WAS AN ANGEL WITH THE RIGHT ANSWER. iT'S YOU!

ciao

Note: where do i could download the excel file you are mentioning in the post?

Please, if you want you could send me to -removed-

thaaaaaaaaaaanks

Edited by pat2

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...