Preventing Users From Circumventing Group Policy

By /


If users have local admin privileges on their workstations, they can circumvent many Group Policy settings by editing the registry directly (provided they know enough to know where to look in the registry). This is bad news for administrators, and I’m often asked how they can prevent users from doing this. Here’s a way one administrator does it on his network–it might work for you if your needs and environment are similar enough:



  1. Use software restriction policies to prevent users from running executables in any path except those you specify.
  2. Use Group Policy to restrict users from accessing the paths to executables in Windows Explorer.
  3. Use Group Policy to deny users access to the command prompt and regedit.
  4. Give users read-only mandatory user profiles.
  5. Use Group Policy to cause users’ computers to forcibly log them off if Group Policy settings are not applied when they log on.

Combining these five restrictions together gives users very little wiggle room for doing things like installing unauthorized apps on their machines.


Cheers,
Mitch Tulloch
www.mtit.com/mitch/

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top