Deny access to Windows system properties with GPOs
Question: How can I prevent my users from accessing system properties with an Active Directory Group Policy Object (GPO)?
Brad Dinerman's answer: There are various options to accomplish your goal. In Group Policy, you can set the option to
prevent access to any control panel applet, which would include the system properties. You would do this within User Configuration > Administrative Templates > Control Panel, and then enable the option to Prohibit Access to the Control Panel.
If that option is too restrictive, however, you can set NTFS permissions just on the control panel applet (sysdm.cpl) by creating a GPO with settings at Computer Configuration > Windows Settings > Security Settings > File System. Right click on File System, select Add File, and then browse to c:windowssystem32sysdm.cpl. Set the permissions to deny read access for the desired users and then make certain that you apply the GPO to the appropriate OU.
This was first published in February 2008
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.