Solved

Disable Control Panel on Clients from Server

Posted on 2003-11-14
8
757 Views
Last Modified: 2012-05-04
Hello

I'm running Windows 2000 Server, and I have about 20 clients in which I want to disable the Control Panel on all of them.  I created a new OU and named it "Disable Control Panel" added the users that I want to disable the control panel on.  And created the Group Policy to Enable "Disable Control Panel."  My question is when I log onto one of the client computers with one of the users name in the OU.  The Control Panel is still visible and I can still enter it.  But if I go to the Server and login in with one of the user names in the OU the control panel is disabled.  So it does work on the Server, but not on the client computers.  

I also ran secedit and gpupdate on both the client and server to see if the Group Policy would kick in but nothing.

Can someone please tell me what I'm doing wrong?

P.S. Clients are running either Windows 2000 Professional or XP Professional.

Thank you,
DaliSalv22
0
Comment
Question by:DaliSalv22
  • 5
  • 3
8 Comments
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Back up your registry !

This is a edit for denying access to the control panel for
*users on a machine
*or the entire system
http://www.winguides.com/registry/display.php/543/

Disable Control Panel Instuctions with Group Policy
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/143.asp

Unfortunately you will be unable to deploy the action from the server unless you know how to write a script that will edit the registry on client machines. I Don't know of any! You will have to take the time and edit these machines by hand if you don't want them to have acces to these functions. but at least they can not change anything on the server side!

USER Accounts shouldn't be able to make system changes anyway!
do you have your client machines set up for special access on the system.

wtrmk74
0
 
LVL 7

Accepted Solution

by:
wtrmk74 earned 250 total points
Comment Utility
even quicker
edit one machine
open regedit
export registry file
selected branch

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

deploy this file on all client machines.

wtrmk74
0
 

Author Comment

by:DaliSalv22
Comment Utility
Thank you for your reply.

So the Group Policy feature in Windows 2000 server will only disable the control panel on the server for the users that directly login to the server?


So I have to change all my clients registry to disable the control panel, that's stinks.  I thought there was an easier way going through the server.

Thanks anyway,
DaliSalv22  
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Good luck
take care


wtrmk74
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Dear DaliSalv22,
I fell terrible that I have steered you in the improper direction
yet being able to edit the registry is great and usefull, it is definately not what you want to spend you time doing.

even if you edit the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
it wil only effect that user ONLY
and if you edit the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
it will only effect the NEW users added to the USER PROFILES LIST after the registry change.

As I said I feel terrible that I have steered you in a somewhat wrong direction that will ultimately get you nowhere.

please read this entire article about an international electronics company that used the OU to do just what your asking and much much more...

Designing and Implementing an Organizational Units:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/deploymentscenarios/scenarios/ou_design_implement_ou_structure.asp

feel free to post a request for refund of POINTS in The Community Support section if this article does not help you achieve your goals sucessfully.

unhappily appologetic
wtrmk74
0
 

Author Comment

by:DaliSalv22
Comment Utility
Hello, wtrmk74.

Don't worry about it, but I do appreciate you responding again with better articles to look at.  I did take a look at the articles that you listed above and they did help me out.  I finally got the the control panel disabled.  It worked two ways either adding the computer to the OU which has the disabled Control Panel policy in it, or having the user under the OU that has the disabled Control Panel policy in it and adding the user to be a member of "Domain Admins."  The Group Policy wouldn't work when the user was only a member of "Domain Users."  

I did run into another problem though, go figure!!  I applied other restrictions to the Group Policy such as disabling the "Properties" under My Computer, disabling access to Network Neighborhood and they all worked fine.  However, when I disabled access to regedit.exe and cmd.exe under the Group Policy it still lets me run both programs, while the other restrictions I set are still working fine.  Can't seem to figure out why these two restrictions don't work.  If you have any ideas what could be causing this, I'd appreciate your help.

Thanks again,
DaliSalv22  
0
 

Author Comment

by:DaliSalv22
Comment Utility
Hello, wtrmk74.

Well I figured out why it wasn't updating my Group Policy for the registry and cmd prompt.  I had to have my primary DNS pointing to my DNS Server where I have the Group Policy on.  I had it set up like and that's when my restrictions started working, but then I switched the DNS back to use the ISP DNS servers that's when it stopped working.  I didn't realize that's were the problem was coming from.  But then I saw Userenv errors in my Application Log, and I figured out it was the DNS.  It's always something so easy to figure out, but it took me awhile to realize what I have done wrong.  Oh well, live and learn.    

DaliSalv22
0
 
LVL 7

Expert Comment

by:wtrmk74
Comment Utility
Hello,
I am pleased to hear that everything is up and running smooth now. Glad the article helped solve those problems.
Getting everything pointed to the right place can certainly drive you crazy and yet it always seems the simplest solutions are always overlooked!

So I guess that's it then....

thanks for your patience
wtrmk74
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now