Limiting access to the Control Panel.

ManBearPig · Feb 26, 2006

Well, ive asked this Q before, and people reccomended i use gpedit.msc to limit it. So, even though thats a computerwide effect, which would make it be blocked for me too (the admin) i decided to use it. Well...that wasnt the best but like i said i wanted to use it...However, even though its enabled shortly after i enable it, it starts being accessable again.

is there ANY way to block access to the control panel, preferable for only a limited account?

ManBearPig · Feb 26, 2006

stash · Feb 26, 2006

Check out the shared computer toolkit for XP:

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Bluestealth · Feb 26, 2006

I guess you could do this by going to C:\Windows\System32 and changing security settings on control.exe to only allow access by users that you want, I am surprised that this feature locks even the Administrator out.

Bluestealth · Feb 26, 2006

You'll need both of these for stash's suggestion

Windows Shared Computer Toolkit

Windows User Profile Hive Cleanup Service

ManBearPig · Feb 26, 2006

I hate the shared computer toolkit

im using system mechanic 5s features, which work only for admins and is much easier to use. Only it doesnt have this one feature. Thanks though

NogginBoink · Feb 27, 2006

What exactly do you want to restrict?

Most (if not all) of the control panels aren't usable by non-administrators anyway.

Yes, users can open the Control Panel folder, but I can't think of anything they can actually DO once they're in there if they're not admins. (Of course, I haven't put much thought into it.)

ManBearPig · Feb 27, 2006

Really? i was able to open up add/remove, but i didnt try adding or removing anything.

gsellis · Feb 27, 2006

You can also apply ACLs to the appropriate MSC files, but it is a pain.

stash · Feb 27, 2006

What is wrong with the shared computer toolkit?

ManBearPig · Feb 27, 2006

Originally posted by: stash
What is wrong with the shared computer toolkit?

Just didnt feel it worked that well.

ManBearPig · Feb 27, 2006

OK, if i could get rid of that blue bar to the side of the folders (displays details, other links, size, etc) i would be fine. any ideas how?

Bluestealth · Feb 27, 2006

You mean folder tasks?
group policy,
User Configuration, Administrative Templates, Control Panel, Force classic Control Panel Style.

Don't know how to force this system wide, but per user you just go to tools, folder options, and select classic view.

ManBearPig · Feb 27, 2006

Thanks soooo much man. Is there anyway to lock the folder options for an account?

TG2 · Feb 27, 2006

What about limiting access to the C:\Windows\System32\name.CPL files?

gsellis · Feb 28, 2006

I just found a hint from my documentation that might help with ACLs if that is a route you choose.

Create a Security Template using the MMC plug in. You will find the ability to define access rights to files as part of it. BUT - remember this is SID based. The set must be able to see the users, and it gets real trick in a domain (read almost unsupportable).

Once you create the template (an INF), you can script it as part of an install.

'Set permissions to grant Authenticated User access for Change and Modify (System, Admin are Full Rights) Via Security Template ? localfiles.inf

sRun = ?cmd /c secedit /configure /DB ? & Chr(34) & ?c:\security\template\localfiles.sdb? & Chr(34) & ? /CFG c:\security\template\localfiles.inf /verbose?

nRtn = WshShell.Run(sRun, 1, True)

NogginBoink · Feb 28, 2006

Originally posted by: Heen05
Thanks soooo much man. Is there anyway to lock the folder options for an account?

No.

This is a user setting; the user gets to choose how s/he wants to view folders.

I suspect you're not telling us the full story of what you're really trying to accomplish here. Can you give us a bigger picture so that we can help you find appropriate strategies?

Bluestealth · Feb 28, 2006

Originally posted by: NogginBoink

Originally posted by: Heen05
Thanks soooo much man. Is there anyway to lock the folder options for an account?

Click to expand...

No.

This is a user setting; the user gets to choose how s/he wants to view folders.

I suspect you're not telling us the full story of what you're really trying to accomplish here. Can you give us a bigger picture so that we can help you find appropriate strategies?

Users are dangerous you can't just let them free or they break everything

wlee · Feb 28, 2006

It sounds like you want to prevent anyone from custoimizing their local workstation with its own "personality". I think you should prob look into setting up a Terminal Server ( or Citrix *IF* you have the budget ) for your troublemaker users. It's a lot easier "murder the soul of humanity" in that environment ( crush evey last aspect of enjoyment from the computing experience ) They only get to use the software that you publish for them.

NogginBoink · Feb 28, 2006

Originally posted by: wlee
It sounds like you want to prevent anyone from custoimizing their local workstation with its own "personality". I think you should prob look into setting up a Terminal Server ( or Citrix *IF* you have the budget ) for your troublemaker users. It's a lot easier "murder the soul of humanity" in that environment ( crush evey last aspect of enjoyment from the computing experience ) They only get to use the software that you publish for them.

Mandatory user profiles can accomplish this. (For the most part; users can make changes but they won't be saved and will revert back when the user logs off and back on.)

ManBearPig · Feb 28, 2006

Well...i dont want them to do anything i dont want them to do

Like, no configuring any settings, ESPECIALLY not being able to access the control panel in the least bit, etc.

NogginBoink · Feb 28, 2006

Originally posted by: Heen05
Well...i dont want them to do anything i dont want them to do Like, no configuring any settings, ESPECIALLY not being able to access the control panel in the least bit, etc.

A non-administrator cannot make any machine-wide changes (for example, display resolution.)

A non-admin CAN make changes that affect only that user's profile.

That's the basic philosophy of Windows. Now, if you want to further limit what users are/are not able to do, you'll have to better define what you're trying to limit.

As for your Control Panel question: I challenge you to log on to Windows as a non-administrator and find out for yourself what the non-admins can and cannot do. I think you'll find that they're already quite limited in this regard.

ForumMaster · Mar 1, 2006

get a mac. it requires a password for anything that digs inside the OS too deep.

gsellis · Mar 1, 2006

Originally posted by: ForumMaster
get a mac. it requires a password for anything that digs inside the OS too deep.

Thanks for the thread crap.

ivwshane · Mar 1, 2006

Originally posted by: Heen05
Really? i was able to open up add/remove, but i didnt try adding or removing anything.

Allot of the stuff will let you go through the motions but when the user is limited it will pop up with an error.

Uninstalling with a limited account usually pops up a "you need administrative rights to perform this action" message. Some however look like program errors when the user tries to do something they aren't allowed to do.

To keep users from even accessing the control panel you can use group policies to hide the folder as well as any links or shortcuts to it. I would also remove the "run" option for the start menu so they can't just type in "control panel".

Limiting access to the Control Panel.

Diamond Member

Diamond Member

Diamond Member

Senior member

Senior member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Senior member

Diamond Member

Banned

Diamond Member

Diamond Member

Senior member

Senior member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Diamond Member

Lifer