DaliSalv22
asked on
Disable Control Panel on Clients from Server
Hello
I'm running Windows 2000 Server, and I have about 20 clients in which I want to disable the Control Panel on all of them. I created a new OU and named it "Disable Control Panel" added the users that I want to disable the control panel on. And created the Group Policy to Enable "Disable Control Panel." My question is when I log onto one of the client computers with one of the users name in the OU. The Control Panel is still visible and I can still enter it. But if I go to the Server and login in with one of the user names in the OU the control panel is disabled. So it does work on the Server, but not on the client computers.
I also ran secedit and gpupdate on both the client and server to see if the Group Policy would kick in but nothing.
Can someone please tell me what I'm doing wrong?
P.S. Clients are running either Windows 2000 Professional or XP Professional.
Thank you,
DaliSalv22
I'm running Windows 2000 Server, and I have about 20 clients in which I want to disable the Control Panel on all of them. I created a new OU and named it "Disable Control Panel" added the users that I want to disable the control panel on. And created the Group Policy to Enable "Disable Control Panel." My question is when I log onto one of the client computers with one of the users name in the OU. The Control Panel is still visible and I can still enter it. But if I go to the Server and login in with one of the user names in the OU the control panel is disabled. So it does work on the Server, but not on the client computers.
I also ran secedit and gpupdate on both the client and server to see if the Group Policy would kick in but nothing.
Can someone please tell me what I'm doing wrong?
P.S. Clients are running either Windows 2000 Professional or XP Professional.
Thank you,
DaliSalv22
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your reply.
So the Group Policy feature in Windows 2000 server will only disable the control panel on the server for the users that directly login to the server?
So I have to change all my clients registry to disable the control panel, that's stinks. I thought there was an easier way going through the server.
Thanks anyway,
DaliSalv22
So the Group Policy feature in Windows 2000 server will only disable the control panel on the server for the users that directly login to the server?
So I have to change all my clients registry to disable the control panel, that's stinks. I thought there was an easier way going through the server.
Thanks anyway,
DaliSalv22
Good luck
take care
wtrmk74
take care
wtrmk74
Dear DaliSalv22,
I fell terrible that I have steered you in the improper direction
yet being able to edit the registry is great and usefull, it is definately not what you want to spend you time doing.
even if you edit the HKEY_CURRENT_USER\Software
it wil only effect that user ONLY
and if you edit the HKEY_LOCAL_MACHINE\Softwar
it will only effect the NEW users added to the USER PROFILES LIST after the registry change.
As I said I feel terrible that I have steered you in a somewhat wrong direction that will ultimately get you nowhere.
please read this entire article about an international electronics company that used the OU to do just what your asking and much much more...
Designing and Implementing an Organizational Units:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/deploymentscenarios/scenarios/ou_design_implement_ou_structure.asp
feel free to post a request for refund of POINTS in The Community Support section if this article does not help you achieve your goals sucessfully.
unhappily appologetic
wtrmk74
I fell terrible that I have steered you in the improper direction
yet being able to edit the registry is great and usefull, it is definately not what you want to spend you time doing.
even if you edit the HKEY_CURRENT_USER\Software
it wil only effect that user ONLY
and if you edit the HKEY_LOCAL_MACHINE\Softwar
it will only effect the NEW users added to the USER PROFILES LIST after the registry change.
As I said I feel terrible that I have steered you in a somewhat wrong direction that will ultimately get you nowhere.
please read this entire article about an international electronics company that used the OU to do just what your asking and much much more...
Designing and Implementing an Organizational Units:
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/deploymentscenarios/scenarios/ou_design_implement_ou_structure.asp
feel free to post a request for refund of POINTS in The Community Support section if this article does not help you achieve your goals sucessfully.
unhappily appologetic
wtrmk74
ASKER
Hello, wtrmk74.
Don't worry about it, but I do appreciate you responding again with better articles to look at. I did take a look at the articles that you listed above and they did help me out. I finally got the the control panel disabled. It worked two ways either adding the computer to the OU which has the disabled Control Panel policy in it, or having the user under the OU that has the disabled Control Panel policy in it and adding the user to be a member of "Domain Admins." The Group Policy wouldn't work when the user was only a member of "Domain Users."
I did run into another problem though, go figure!! I applied other restrictions to the Group Policy such as disabling the "Properties" under My Computer, disabling access to Network Neighborhood and they all worked fine. However, when I disabled access to regedit.exe and cmd.exe under the Group Policy it still lets me run both programs, while the other restrictions I set are still working fine. Can't seem to figure out why these two restrictions don't work. If you have any ideas what could be causing this, I'd appreciate your help.
Thanks again,
DaliSalv22
Don't worry about it, but I do appreciate you responding again with better articles to look at. I did take a look at the articles that you listed above and they did help me out. I finally got the the control panel disabled. It worked two ways either adding the computer to the OU which has the disabled Control Panel policy in it, or having the user under the OU that has the disabled Control Panel policy in it and adding the user to be a member of "Domain Admins." The Group Policy wouldn't work when the user was only a member of "Domain Users."
I did run into another problem though, go figure!! I applied other restrictions to the Group Policy such as disabling the "Properties" under My Computer, disabling access to Network Neighborhood and they all worked fine. However, when I disabled access to regedit.exe and cmd.exe under the Group Policy it still lets me run both programs, while the other restrictions I set are still working fine. Can't seem to figure out why these two restrictions don't work. If you have any ideas what could be causing this, I'd appreciate your help.
Thanks again,
DaliSalv22
ASKER
Hello, wtrmk74.
Well I figured out why it wasn't updating my Group Policy for the registry and cmd prompt. I had to have my primary DNS pointing to my DNS Server where I have the Group Policy on. I had it set up like and that's when my restrictions started working, but then I switched the DNS back to use the ISP DNS servers that's when it stopped working. I didn't realize that's were the problem was coming from. But then I saw Userenv errors in my Application Log, and I figured out it was the DNS. It's always something so easy to figure out, but it took me awhile to realize what I have done wrong. Oh well, live and learn.
DaliSalv22
Well I figured out why it wasn't updating my Group Policy for the registry and cmd prompt. I had to have my primary DNS pointing to my DNS Server where I have the Group Policy on. I had it set up like and that's when my restrictions started working, but then I switched the DNS back to use the ISP DNS servers that's when it stopped working. I didn't realize that's were the problem was coming from. But then I saw Userenv errors in my Application Log, and I figured out it was the DNS. It's always something so easy to figure out, but it took me awhile to realize what I have done wrong. Oh well, live and learn.
DaliSalv22
Hello,
I am pleased to hear that everything is up and running smooth now. Glad the article helped solve those problems.
Getting everything pointed to the right place can certainly drive you crazy and yet it always seems the simplest solutions are always overlooked!
So I guess that's it then....
thanks for your patience
wtrmk74
I am pleased to hear that everything is up and running smooth now. Glad the article helped solve those problems.
Getting everything pointed to the right place can certainly drive you crazy and yet it always seems the simplest solutions are always overlooked!
So I guess that's it then....
thanks for your patience
wtrmk74
This is a edit for denying access to the control panel for
*users on a machine
*or the entire system
http://www.winguides.com/registry/display.php/543/
Disable Control Panel Instuctions with Group Policy
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/143.asp
Unfortunately you will be unable to deploy the action from the server unless you know how to write a script that will edit the registry on client machines. I Don't know of any! You will have to take the time and edit these machines by hand if you don't want them to have acces to these functions. but at least they can not change anything on the server side!
USER Accounts shouldn't be able to make system changes anyway!
do you have your client machines set up for special access on the system.
wtrmk74