Restrictions

 

Restrictions (windows nt)

Desktop restrictions can be implemented by editing the following Explorer values in the registry: (all values default to 0)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoCommonGroups REG_DWORD
set it to 1 so that common program groups do not appear on the Start menu.

NoDesktop REG_DWORD
set it to 1 to hide all desktop icons.

NoDrives REG_DWORD
The low order (right most) bit is drive A: while the 26th bit is Drive Z:
To hide a drive, turn on its' bit. These drives will still appear in File Manager. To remove File Manager, delete winfile.exe.
If your not happy working in Hex, add these decimal number to hide the drive(s):
A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, ALL: 67108863

NoFileMenu REG_DWORD
If set to 1, the File menu in Explorer is removed.

NoFind REG_DWORD
set it to 1 to remove the Find command from the Start Menu.

NoNetConnectDisconnect REG_DWORD
A value of 1 removes the "Map Network Drive" and Disconnect Network Drive menu and right click options.

NoNetHood REG_DWORD
Set it to 1 to remove the Network Neighborhood icon and prevent network access from explorer (it will still work from a command prompt).

NoRun REG_DWORD
If set to 1, the Run command is removed from the Start menu.

NoSetFolders REG_DWORD
Set it to 1 to hide Control Panel and Printers and My Computer in Explorer and on the Start Menu.

NoSetTaskbar REG_DWORD
If set to 1, only Drag and Drop can be used to alter the Start Menu and Desktop. The Taskbar does not appear on the Start Menu.

NoTrayContextMenu REG_DWORD
If set to 1, menus do not display upon right click of the taskbar, start button, clock, or taskbar application icons. The entry is only available for NT 4.0 with SP 2 or greater.

NoViewContextMenu REG_DWORD
If set to 1, menus do not display upon right click of the desktop or Explorer's results pane. The entry is only available for NT 4.0 with SP 2 or greater.

RestrictRun REG_DWORD
Set it to 1 and only programs that you define at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
can be run on the Workstation.

NoClose REG_DWORD
Set it to 1 to remove the ShutDown button from the Start Menu. This does not disable shutdown from CTRL+ALT+DEL. To totally disable a users ability to shutdown, remove the "advanced" right to "Shutdown the System" from Policies/User Rights of User Manager for Domains.

To really lock down the desktop, replace the Explorer or Progman shell with your own launcher. Edit HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell and replace the current .exe with YourOwnLauncher.exe. See "Restricting system features ..." on a subsequent Tips page.

we learned that setting the RestrictRun Value in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer key to 1 would allow us to configure allowed programs at the RestrictRun key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

RestrictRun can only works from the Explorer process. It does not prevent users from running programs, such as Task Manager, that are started by the system process or by other processes such as CMD.EXE.

For Windows NT to operate properly, users must be permitted to run Systray.exe and setup.exe (both are in %SystemRoot%\System32).

The value entries in this subkey represent local programs which can appear in any order. The value entries have the following syntax:

Decimal number (starting with 1) of type REG_SZ with a data string which is the name of executable file.

Example:

1  REG_SZ  setup.exe
2  REG_SZ  systray.exe
3  REG_SZ  Iexplore.exe
4  REG_SZ  JSITTARH.EXE

To restrict the use of system features, edit: (the System sub-key must be added)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

All of the following entries are type REG_DWORD and have a default of 0. If these entries are set to 1, the restriction is enabled.

DisableTaskMgr - Prevents TaskMgr.exe from running. This entry is only supported from NT 4.0 with SP2 or greater.

NoDispAppearancePage - Removes the ability to change the colors or color scheme on the desktop from Control Panel.

NoDispBackgroundPage - Removes the ability to change wallpaper and backround pattern from Control Panel.

NoDispCPL - Disables the Display option in Control Panel

NoDispScrSavPage - The Screen Saver tab does not appear in the Display Properties page of Control Panel.

NoDispSettingsPage - The Settings and Plus tab do not appear in the Display Properties page of Control Panel.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. All are type REG_DWORD with a default value of 0.

EnforceShellExtensionSecurity - A value of 1 causes Windows NT to only load the shell extensions listed in the Approved subkey (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved).

NoDriveAutoRun - A bitmapped valuethat determines wether the autorun feature is disabled on that drive. If the drives bit is set to 1, autorunis disabled.

NoSaveSettings - A value of 1 prevent changes to the positions of icons and open windows, and the size and position of the taskbar from being saved.

NoStartBanner - A value of 1 hides the arrow and Click here to begin caption that appear on the taskbar when you start Windows NT.

NoStartMenuSubFolders - Hides the folders at the top section of the Start menu when the value is set to 1. Items appear, but folders are hidden.

A few more restrictions are located at HKEY_CURRENT_USER\Software\Microsoft\Windows:

NoWorkgroupContents - If the value of this entry is 1, Network Neighborhood does not display computers in the local workgroup or domain.

NoEntireNetwork - A value of 1 restricts Network Neighborhood from displaying or accessing computers outside the local workgroup or domain. The user can still use the Start/Run, Map/Connect Network Drive, and the Command Prompt.

 

In other tips on these pages, you have seen registry hacks to the HKEY_CURRENT_USER hive. Any hack that you can make to HKEY_CURRENT_USER can be made to the default user hive.

To modify the default user hive, highlight the HKEY_USERS window and click Load Hive from the Registry menu. Select the Ntuser.dat file (usually from %windir%\Profiles\Default User directory). Type NTUSER in the Key Name dialogue box. Now you can add or modify any Key or Value within this hive. When you finish, highlight NTUSER and select Permissions from the Security menu. Add Read permission to the Everyone group. Check the "Replace Permission on Existing Subkeys" box and click Ok. Select Unload Hive from the Registry menu and exit Regedt32.

Copy the profile to the Netlogon share on the PDC which is usually at C:\%windir%\System32\Repl\Export\Scripts.

When a new user logs on, they will receive the default profile.

 

Accueil ] Remonter ]