Jump to content

Disabling Group Policy restrictions through the registry


Recommended Posts

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------

[Version]

Signature= "$Windows NT$"

[DefaultInstall]

DelReg=DelValues

[DelValues]

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"

HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"

HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"

HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"

HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

Link to comment
Share on other sites


I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

Nice contribution.
Link to comment
Share on other sites

  • 5 weeks later...
  • 3 months later...

Help me!!

I am using this information to disable the task manager, lock computer and change password from certain user accounts. I read in the excel document that I should go to:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword

I go as far as "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\", but then I don't know what to do next. What do I need to create to do this? The options I see under the Policies "folder" are "(Default)" and a folder called "Explorer" which has only "(Default)" and "NoDriveTypeAutoRun". So what do I need to add here? Help me please, someone!

UPDATE:

OK, I have everything there, but nothing seems to be happening. I used DWORD values - was that right? Do I need to set their values to 1 or someting like that? Not seeing any effect...

Edited by Idontwantspam
Link to comment
Share on other sites

  • 3 years later...

This info is the truth! This saved the remainder of my day. SO grateful to you... :thumbup

I have found this information very valuable from time to time, especially when you (as a system admin) are logged into a PC as one of your restricted users, and have to do something as them. (ie. edit the registry, install a program - something that relies on the HKCU etc)

As you probably know, group policies are set by changing keys and values in the registry. Machine specific GPs are in the HKLM and user specific GPs are in the HKCU. I've attached an excel document from Microsoft, detailing what reg key reflects what GP, with a description. (very handy)

As well, I custom wrote an INF file to temperarily remove group policy effects. Copy the below text to a txt file, and save it as <whatever>.inf

Because it is an INF file and not a REG file, when you right-click and choose Install, it will bypass any "disallow registry editing tools" policy, (whereas a .reg file will not) and also immediately refresh the explorer after its done. (so you dont even have to log off and back on). **note, you WILL need admin access wherever you run this INF.

These are the most common GP's that I find I come across. Such items like getting back your MANAGE context menu item, your RUN command, access to all the CPLs (control panel items), access to the registry, access to the CMD prompt, access to the MMCs.....etc

-------------copy here---------------

[Version]

Signature= "$Windows NT$"

[DefaultInstall]

DelReg=DelValues

[DelValues]

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl"

HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

HKCU, "Software\Policies\Microsoft\MMC","RestrictAuthorMode"

HKCU, "Software\Policies\Microsoft\MMC","RestrictToPermittedSnapins"

HKCU, "Software\Policies\Microsoft\Windows\System","DisableCMD"

HKCU, "Software\Policies\Microsoft\Internet Explorer\Control Panel"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoRun"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWindowsUpdate"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","ConfirmFileDelete"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoSMConfigurePrograms"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoWebServices"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","NoManageMyComputerVerb"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer","RestrictCpl"

HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced","Hidden"

---------end copy here----------

**** note, once you log off and back on, the group policy will refresh itself and any of these changes are lost. To make them permanent, all you have to do is: edit the registry, right click the key that contains the value(s) above, right-click and go to "Permissions", and remove ALL user/groups from there EXCEPT your own account. That way, when GP attempts to write the values back in next time, it won't have permission to and will just skip them. Neat huh? :whistle:

I hope this post is valuable to someone - I know it would have been for me. That's my first contribution to the site :) -if this is the wrong forum location, can someone pls move it for me. thanks!

Andrew

Link to comment
Share on other sites

  • 2 years later...

Andrew Sutherland, this is Michele from Italy!

YOU ARE GREAT!! WONDERFULL TWEAK!!! I WAS SEARCHING ON INTERNET SURE IT WAS AN ANGEL WITH THE RIGHT ANSWER. iT'S YOU!

ciao

Note: where do i could download the excel file you are mentioning in the post?

Please, if you want you could send me to -removed-

thaaaaaaaaaaanks

Edited by pat2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...