[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2991
  • Last Modified:

Disable the device manager

Hi,
i'm looking for a way (registry changes via script or via GPO) to disable users from entering the device manager. the users are local admins on their machines.
any way?
0
johnnyjonathan
Asked:
johnnyjonathan
  • 6
  • 2
  • 2
  • +1
1 Solution
 
victorjones1Commented:
You can prohibit access to Control Panel, force the classic windows theme (which will remove My Computer from the Start menu), and also remove My Computer from the desktop via Group Policy.  Doing so will not remove access to Device Manager, but it will limit their way to access to the run button.
0
 
victorjones1Commented:
As long as they do not know the .msc name for the management console or device manager then they will not be able to access it.

What are they doing to their devices, and why are't you taking disciplinary action against them for intentionally damaging their PCs?
0
 
johnnyjonathanAuthor Commented:
I can block access to .msc file on \system32
But if they click on My Computer - Manage and then they can access it again....
And it's not the users or my choice, it's the company new policy, go figure ;)
 
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
victorjones1Commented:
Using Group Policy you can Block Control Panel Access:

User Configuration | Administrative Templates | Control Panel | Prohibit access to the Control Panel

Force the Classic Start Menu (which removes My Computer)

User Configuration | Administrative Templates | Start Menu and Taskbar | Force Classic Start Menu

Forcibly remove the My Computer icon from the Desktop

User Configuration | Administrative Templates | Desktop | Remove My Computer icon on the desktop
0
 
victorjones1Commented:
These settings will block all access (that I know of) to the management console and its components EXCEPT via the run command on the start menu (you could forcibly remove Run from the start menu too).
0
 
victorjones1Commented:
Too forcibly remove Run:

User Configuration | Administrative Templates | Desktop | Remove Run Menu from Start Menu
0
 
sirbountyCommented:
Easy way to do it...two startup lines:

Note - this will prevent any mmc applet from loading - not just device manager, but it will prevent the right-click My Computer, Manage route...
reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe"
reg add "hklm\software\microsoft\windows nt\currentversion\image file execution options\mmc.exe" /v Debugger /d " "

Open in new window

0
 
astralcomputingCommented:
even though they are local admins, this should not override the group policy on the domain. restrict access through the group policy and apply it to the users, otherwise you may have trouble if you need to access the device manager later.
0
 
victorjones1Commented:
Create a New Organizational Unit in group policy for this setup.  If you apply it to the Default Domain Policy the policy may affect the Administrator login too.
0
 
johnnyjonathanAuthor Commented:
Looks like its the best and most complete way, thanks!
0
 
sirbountyCommented:
Glad I could help - thanx for the grade! :^)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now