• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 703
  • Last Modified:

Windows 7: deny access to product key through GPolicy

Hi,

we run Server 2008 R2 in a W7 enviroment.
When a W7 client goes for properties of the computer, nothing can be edited (that's supposed to be like that), except for the product key.

How can I disable access to product key through Group Policy ?

Kind regards,
0
KOV_VZW
Asked:
KOV_VZW
  • 3
  • 2
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
The product key can be reversed (it's a base24 encoding), and when one does that, it's often the same key you find printed on the bottom of your laptop or the side of a computer if you ordered from someone like Dell or HP. The key resides in the registry, you could edit it certainly, but every Microsoft product displays the encoded product key. The encoded key will not work if a user gets a copy of the OS or Office, they'd have to decode the key and use that, which would allow them to install and the key would be re-encoded as the very same.
Also microsoft checks those registry keys to make sure the key is valid from time to time, I'm not sure there is an easy way to block them from being seen. The registry can be read by users in all sorts of places they can't otherwise write to, especially if they are not administrators, so I'm not sure you can block those keys. It may be possible to modify the code that displays them in certain programs, but I'm sure that isn't warrantied nor is if very effective because most of the "decoders" don't need any input from the user, they just read the registry directly.
I hope this is of some help...
-rich
0
 
☠ MASQ ☠Commented:
have you tried setting the registry location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
to read-only?
0
 
Rich RumbleSecurity SamuraiCommented:
Being able to read the key seems to be the problem... You'd want to deny the users access, but I'm not sure what repercussions this may have... Editing or removing the key will likely make it think it's not registered, but if a process that user launches checks, and it can't read it, it may report that to the OS, and the OS may think it's not registered, even if another process with another user (like system) can read the registry key.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
But this doesn't work, I've just tried it...
-rich
0
 
☠ MASQ ☠Commented:
KOV_VZW, did this work?  If it doesn't storing this as a solution won't help anyone else with the same problem.
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now