How to Restrict Control Panel Access with Group Policy
This blog will examine how to restrict control panel access with group policy. You will learn how to disable the control panel access for specific users. I will also teach you how to select only specific control panel items.
The control panel provides access to several different system settings. In a business network, you likely don’t want your users to be able to modify these settings. The good news is that you can use group policy to restrict access to the items in the control panel.
Restrict Control Panel Access via Group Policy
How to Disable Control Panel for Specific Users
In this example, I will disable the control panel for all users in the Sales OU.
Open the group policy management console.
Go to the OU where you want to restrict control panel access. Right-click and choose “Create a GPO in this domain, and Link it here”
Type the GPO name. I will name it “Access Control Panel”
Right-click on the created GPO and select edit.
Browse to:
User Configuration\Policies\Administrative Templates\Control Panel
Double clicks to open the policy “Prohibit access to Control Panel and PC Settings”.
Select Enabled to enable this policy and click on OK.
I will log onto a computer and verify that access to the control panel is blocked.
Type the command:
gpupdate /force
I’m logged into the computer as a user in the Sales OU. When trying to access the control panel, the user receives the message below.
If someone logs into a computer in a different OU, they still have access to the control panel.
If you want to apply this policy to specific users in different OUs, you need to use group policy filtering.
Show Only Specified Control Panel Items
If you want users to have access to only specific control panel items, follow these instructions.
On the group policy management console.
Right-click on an OU and select “Create a GPO in this domain, and Link it here”
Give the GPO a name. “Limit Control Panel Items”.
Now, right-click on the created GPO and select edit.
Browse to:
User Configuration\Policies\Administrative Templates\Control Panel
Double-click to open the policy “Show only specified Control Panel items”.
Click on Enabled and click on the Show button.
To display a control panel item, you must enter the control panel item’s canonical name.
Refer to the Microsoft Canonical names of control panel items to see a full list of canonical names.
I will allow access to devices and printers and Internet options.
Devices and Printers
Canonical name: Microsoft.DevicesAndPrinters
GUID: {A8A91A66-3A7D-4424-8D24-04E180695C7A}
Supported OS: Windows 7, Windows 8, Windows 8.1
Module name: @%systemroot%\system32\DeviceCenter.dll,-1000
Internet Options
Canonical name: Microsoft.InternetOptions
GUID: {A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}
Supported OS: Windows Vista, Windows 7, Windows 8, Windows 8.1
Module name: @C:\Windows\System32\inetcpl.cpl,-4312
Pages
I will then insert the canonical names into the GPO settings.
Click ok and OK again.
Login to your computer and update the group policy with the below command.
Gpupdate /force
When the user opens the control panel, they can only access the items listed in the GPO.
In the below example, the user only has access to the devices and printers and internet options control panel items.
