by
Jeremy Canfield | Updated January 1st, 2017
These steps restrict access to the control panel using Group Policy on an individual computer, but not through a domain controller. This is practical if you only have a few computers in the network.
- Open an MMC:
- If using Windows 8 or above, right-click on the Windows Start icon, select run, type MMC, and press enter
- If using Windows 7 or below, left-click on the Windows Start icon, select run, type MMC, and press enter
- Select File > Add/Remove snap-in
- In the list of Available snap-ins, select Group Policy Object Editor and select Add
- In the Welcome to the Group Policy Wizard pop-up box, select Browse
- Select the Users tab
- Highlight Administrator and select OK
- Select Finish
- Select OK
- Expand Local Computer\\Administrator Policy > User Configuration > Administrative Templates, and select Control Panel
- Double-click Prohibit access to Control Panel and PC settings
- In the Prohibit access to Control Panel and PC settings pop-up box, select Enabled
- Select OK
Now, Administrator accounts will be able to access the Control Panel, and non-Administrator accounts will not be allowed access to the Control Panel.
If you have a large number of computers in the network, this is impractical and would be better done on in Active Directory:
Create a new Group Policy Object (GPO):
- In Server Manager, select Tools > Group Policy Management
- In Group Policy Management, right-click on Group Policy Objects > New
- In the New GPO pop-up box, let's name the GPO ControlPanel and select OK
Configure the GPO to restrict access to the Control Panel:
- Right-click on the ControlPanel GPO and select Edit
- Expand User Configuration > Administrative Templates, and select Control Panel
- Right-click on Prohibit access to Control Panel and PC settings and select Edit
- In the Prohibit access to Control Panel and PC settings pop-up box, select Enabled and select OK
We can now apply this GPO to another object. For example, if we have a Sales OU, we could right-click on the Sales OU, select Link an Existing GPO, and select the ControlPanel GPO.