Prevent user running regedit.exe, gpedit.msc etc.

  • Thread starter Thread starter Tosca
  • Start date Start date
T

Tosca

Hello

I have XP Pro SP2 (single laptop) and know that I can take "Run" out of the
Start menu. That will deter some from accessing regedit, gpedit.msc etc.
but I know there are several workarounds such as creating a batch file or
html page to run them or have a copy on a USB memory stick and run them from
there. Are there any settings that will allow me to prevent their being run
AT ALL? I suspect that it might be in GP Editor itself and I wonder if it
could be modified without having to access gpedit.msc (VBS, for instance?).
Alternatively, there might be a registry setting that can be altered. I
know that this could be reset without having to access the registry editor
but I also know that there are third party registry editors available. I
guess there may be no ABSOLUTE way to prevent their being run (even deleting
them!) but I want to make it as inconventient as possible - unless the user
knew the *only* solution.

Any ideas from experts oin the field?
 
If your computer is a domain member(Active Directory), and the user is
to...its the answer is Group Policyes(GPO).
If its not, the answer is still gpo, but not quit that easy...since ypu risk
applying the settings to alle the users on the laptop, included the admin..

If you run - gpedit.msc - yuo can se the options that are on your local
computer. If the computer is a domain member this settings can be overrided
by the gpo from the domain controller/OU.....
Test a bit there and you will soon know what its about....
But be carefull not to lock yourself out...
 
Hi Lynx

The computer is stand alone, but I can make it part of a home network.

I guessed there'd be a risk of locking everyone out of using these tools,
hence my need to have a "backdoor" to use GP Editor to which only *I* have
access on this laptop. I know that a registry key can be set witout
actually accessing regedit.

I know a little about the GP Editor but not sufficient to "play". Can
someone tell me how to disable access - then enable it?

Thanks for your time and patience.
 
I've been looking into this further. I see that I can set permission for
groups or users to access gpedit.msc and I know that I can hide the file,
prior to turning off <folder options> so it can't be unhidden. I don't
think that these options would prevent an "external" copy of gpedit.msc
being run from a USB memory stick.
 
Back
Top