Avatar of Jaime Campos
Jaime Campos
Flag for United States of America asked on

How do you setup a GPO to remove control panel and not apply it to admin account?

Hello,

I'm trying to setup a Global GPO to remove control panel from everyones system, but I do not want to affect my IT department Group or administrator accounts. How can I accomplish this through my GPO editor?

Thanks,

nimdatx
Active DirectoryWindows Server 2008

Avatar of undefined
Last Comment
arifkayaca

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Paul MacDonald

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ProtechCT

Setup the gpo in the container that contains the user accounts you want it appliad to.  Make sure the admin account is not listed in the container.  For my purposes all the admin accounts are in a container where ther are no GPO's applied.
itwebpros

Create a new group policy object.  Under the User Configuration settings, Administrative Templates, Control panel...restrict access to the control panel.  THEN under delegation you can set permission to which groups inherit the policy.  You can exclude your IT Department from inheriting it.
arifkayaca

Download GPMC (group policy management console) and install it to your DC.

Open run,type gpmc.msc.

In GPMC, Expand your forest name,domains,your domain name and right click your domain name select 'Create and Link a GPO here' tab for create your Global GPO.

When finish creating policy, select this policy > select delegation > advanced > select add and add your IT dept group and admin account here and clear 'Apply Group Policy' check box. > OK


I hope this will work, good luck.



I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Jaime Campos

ASKER
Ok, now how do I test if this policy is affective? Some users can still see control panel even when I applied on the root.
Paul MacDonald

It may take a few minutes to propogate among your domain controllers, but after 15 minutes or so the policy should be in effect.  Then just have them log off and log back in again.
Jaime Campos

ASKER
Is their a cmd I can run that will tell me which GPOs are active?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Paul MacDonald

GPResult /R
Paul MacDonald

RSOP is the graphical version of that.
arifkayaca

open run type gpupdate /force


good luck.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Jaime Campos

ASKER
I ran cmd and this is what I got:
------------------------------------------
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\nimda>gpresult /r

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 8/11/2011 at 12:23:01 PM


RSOP data for RAPA\nimda on FILESERVER2 : Logging Mode
-------------------------------------------------------

OS Configuration:            Primary Domain Controller
OS Version:                  6.1.7601
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\nimda
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=FILESERVER2,OU=Domain Controllers,DC=RAPA,DC=local
    Last time Group Policy was applied: 8/11/2011 at 12:21:21 PM
    Group Policy was applied from:      Fileserver2.RAPA.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        RAPA
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Cannot change time

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Logon Script Map Drives
            Filtering:  Not Applied (Empty)

        Internet History
            Filtering:  Denied (Security)

        Home Page
            Filtering:  Not Applied (Empty)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        My Documents Redirect
            Filtering:  Not Applied (Empty)

        Internet Options
            Filtering:  Denied (Security)

        Default Domain Policy
            Filtering:  Disabled (Link)

        Remove Control Panel
            Filtering:  Denied (Security)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        FILESERVER2$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        System Mandatory Level


USER SETTINGS
--------------
    CN=nimda,OU=IT Department,OU=Business Office,DC=RAPA,DC=local
    Last time Group Policy was applied: 8/11/2011 at 12:21:21 PM
    Group Policy was applied from:      Fileserver2.RAPA.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        RAPA
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Home Page
        Logon Script Map Drives
        My Documents Redirect

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Internet History
            Filtering:  Denied (Security)

        Local Group Policy
            Filtering:  Not Applied (Empty)

        Internet Options
            Filtering:  Denied (Security)

        MAS90
            Filtering:  Not Applied (Empty)

        Remove Control Panel
            Filtering:  Denied (Security)

        Cannot change time
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        Terminal Server License Servers
        Remote Desktop Users
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        Windows Authorization Access Group
        REMOTE INTERACTIVE LOGON
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Accounting
        Domain Admins
        Administrator
        Group Policy Creator Owners
        Admin Staff
        Exchange View-Only Administrators
        Exchange Recipient Administrators
        Exchange View-Only Administrators1
        Exchange Organization Administrators
        Exchange Public Folder Administrators1
        Exchange Recipient Administrators1
        Exchange Servers
        Exchange Public Folder Administrators
        Exchange Organization Administrators1
        Exchange Trusted Subsystem
        Enterprise Admins
        Exchange Servers1
        Schema Admins
        Terminal Server Computers
        High Mandatory Level
Paul MacDonald

The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
...
        Remove Control Panel
            Filtering:  Denied (Security)


So either something's not set right or you're running the command as a person/machine to which the policy doesn't apply.
Jaime Campos

ASKER
I'm running it on my admin account on DC server.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
arifkayaca

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Jaime Campos

ASKER
Ok. I did authenticated users, but I'm trying to exclude administrator. How do i exclude my IT department? I went to Delegation and not sure what it means.

Thanks,

nimdatx
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.