Presuming (i.e. not provided) clients are 2k pro or XP and patched to the current levels. Domain not workgroup, or GP is not available for this purpose. You have run the security template for the MMC (Microsoft Management Console). Google ‘Disable Control Panel’, which would have led to this:
In Group Policy under ‘userconfiguration’, under ‘administrativetemplates’,in the section ‘Startup & Taskbar’ make your change.
Are you wanting to do this in a win2k or win2k3 Active Directory environment? And with win2k or XP PC’s
There are differences in the GPO’s between win2000 and win2003 domains. There is alot more controls added to win2003.
If so, it is real easy using GPO’s. I do not knwo what your level of knowledge is with AD, so I will give you a little background. GPO’s can be linked to Organizational Units (OU’s), such as the Users folder under Active Directory. Your domain under Active Directory has it’s own default GPO that is applied to all users. It is not recommended that you change this policy, all though you could. If you would like to create policies that are going to effect all users, it would be better to create a new GPO and link it to the domain. The good thing about OU’s is that you can break your organization up into fucntional or departmentatl levels, such as Accounting, HR, Customer Support and so on and apply different GPO’s to each OU giving more or less or different restrictions.
To get to the meat of the matter and blocking acces to the control panel. Open your GPO and go to User Configuration/Administrative Templates/Windows Components/Control Panel
Once there your can control various aspects of Control panel, or you can just block access to it all together.
There is so many things that you can do with GPO’s. You can completely lock down a desktop and only allow a user to have on there desktop what you allow. I do this with some 60-70 terminal services clients accross 42 OU’s and 42 GPO’s
A good reference for group policy in win2k3
I have done all the settings using dsa.msc on an particular OU.
I could create a GPO and then I made some changes in user configuration like “prohibit access to control panel” remove run command from the start menu etc.
After applying the changes I logged in to the XP pro machine as a normal user. But I still can see and use run command in start menu and still able to access control panel and its components.
Is there anyone who can put some light on this.
PS : I also tried gpupdate / force command from command prompt to get my machine updated. Doesn’t work at all.
Thanks in advance.
Manumaha, you could use GPRESULT on the client machine, to check what policies (if any) have been applied.