Disable Control Panel on Clients from Server


I'm running Windows 2000 Server, and I have about 20 clients in which I want to disable the Control Panel on all of them.  I created a new OU and named it "Disable Control Panel" added the users that I want to disable the control panel on.  And created the Group Policy to Enable "Disable Control Panel."  My question is when I log onto one of the client computers with one of the users name in the OU.  The Control Panel is still visible and I can still enter it.  But if I go to the Server and login in with one of the user names in the OU the control panel is disabled.  So it does work on the Server, but not on the client computers.  

I also ran secedit and gpupdate on both the client and server to see if the Group Policy would kick in but nothing.

Can someone please tell me what I'm doing wrong?

P.S. Clients are running either Windows 2000 Professional or XP Professional.

Thank you,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Back up your registry !

This is a edit for denying access to the control panel for
*users on a machine
*or the entire system

Disable Control Panel Instuctions with Group Policy

Unfortunately you will be unable to deploy the action from the server unless you know how to write a script that will edit the registry on client machines. I Don't know of any! You will have to take the time and edit these machines by hand if you don't want them to have acces to these functions. but at least they can not change anything on the server side!

USER Accounts shouldn't be able to make system changes anyway!
do you have your client machines set up for special access on the system.

even quicker
edit one machine
open regedit
export registry file
selected branch


deploy this file on all client machines.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DaliSalv22Author Commented:
Thank you for your reply.

So the Group Policy feature in Windows 2000 server will only disable the control panel on the server for the users that directly login to the server?

So I have to change all my clients registry to disable the control panel, that's stinks.  I thought there was an easier way going through the server.

Thanks anyway,
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Good luck
take care

Dear DaliSalv22,
I fell terrible that I have steered you in the improper direction
yet being able to edit the registry is great and usefull, it is definately not what you want to spend you time doing.

even if you edit the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
it wil only effect that user ONLY
and if you edit the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
it will only effect the NEW users added to the USER PROFILES LIST after the registry change.

As I said I feel terrible that I have steered you in a somewhat wrong direction that will ultimately get you nowhere.

please read this entire article about an international electronics company that used the OU to do just what your asking and much much more...

Designing and Implementing an Organizational Units:

feel free to post a request for refund of POINTS in The Community Support section if this article does not help you achieve your goals sucessfully.

unhappily appologetic
DaliSalv22Author Commented:
Hello, wtrmk74.

Don't worry about it, but I do appreciate you responding again with better articles to look at.  I did take a look at the articles that you listed above and they did help me out.  I finally got the the control panel disabled.  It worked two ways either adding the computer to the OU which has the disabled Control Panel policy in it, or having the user under the OU that has the disabled Control Panel policy in it and adding the user to be a member of "Domain Admins."  The Group Policy wouldn't work when the user was only a member of "Domain Users."  

I did run into another problem though, go figure!!  I applied other restrictions to the Group Policy such as disabling the "Properties" under My Computer, disabling access to Network Neighborhood and they all worked fine.  However, when I disabled access to regedit.exe and cmd.exe under the Group Policy it still lets me run both programs, while the other restrictions I set are still working fine.  Can't seem to figure out why these two restrictions don't work.  If you have any ideas what could be causing this, I'd appreciate your help.

Thanks again,
DaliSalv22Author Commented:
Hello, wtrmk74.

Well I figured out why it wasn't updating my Group Policy for the registry and cmd prompt.  I had to have my primary DNS pointing to my DNS Server where I have the Group Policy on.  I had it set up like and that's when my restrictions started working, but then I switched the DNS back to use the ISP DNS servers that's when it stopped working.  I didn't realize that's were the problem was coming from.  But then I saw Userenv errors in my Application Log, and I figured out it was the DNS.  It's always something so easy to figure out, but it took me awhile to realize what I have done wrong.  Oh well, live and learn.    

I am pleased to hear that everything is up and running smooth now. Glad the article helped solve those problems.
Getting everything pointed to the right place can certainly drive you crazy and yet it always seems the simplest solutions are always overlooked!

So I guess that's it then....

thanks for your patience
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.