Disable Administrative Components

Disable Control panel items, Administrative Tools, and PowerShell

Various control panels, administrative tools, and server settings should be disabled for standard user access if otherwise not required by organization. To disable control panel items, the following policies can be carried out from the Group Policy Microsoft Management Console (MMC): User Configuration\Administrative Templates\Control Panel

Disable Registry Modification

For added security, users should be restricted to not make any registry modifications: User Configuration\Policies\Administrative Templates\System

Windows Updates and Installer

These policy setting prevents users from using Windows Installer to install patches and disables Windows update and shutdown notifications. This can be carried out from the Group Policy Microsoft Management Console (MMC):

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer
Computer Configuration\Administrative Templates\Windows Components\Windows Update

Control Panel

The following Control Panel items may be removed from the list of items available for standard user access:

Microsoft.AdministrativeTools
Microsoft.AutoPlay
Microsoft.ActionCenter
Microsoft.ColorManagement
Microsoft.DefaultPrograms
Microsoft.DeviceManager
Microsoft.EaseOfAccessCenter
Microsoft.FolderOptions
Microsoft.iSCSIInitiator
Microsoft.NetworkAndSharingCenter
Microsoft.NotificationAreaIcons
Microsoft.PhoneAndModem
Microsoft.PowerOptions
Microsoft.ProgramsAndFeatures
Microsoft.System
Microsoft.TextToSpeech
Microsoft.UserAccounts
Microsoft.WindowsFirewall
Microsoft.WindowsUpdate
Microsoft.DateAndTime
Microsoft.RegionAndLanguage
Microsoft.RemoteAppAndDesktopConnections
Install Application On Remote Desktop Server
Java
Flash Player

Administrative Tools and PowerShell

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.
Right click on File System, choose Add File.
In the Add a file or folder window, put %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools in the Folder field and click OK.
On the next window Database Security for%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk remove Users and check that Administrators have Full Access
On the Add Object window choose Configure this file or folder then Propagate inheritable permissions to all subfolders and files. Click OK.
Do the same for PowerShell shortcut (+ delete Creator Owner in database security): %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk
Do the same for Server Manager shortcut: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk

PreviousLocking Down TS/RDS Host NextAntivirus Exclusions

Last updated 8 months ago

Disable Control panel items, Administrative Tools, and PowerShell

Windows Updates and Installer

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Installer

Computer Configuration\Administrative Templates\Windows Components\Windows Update

Control Panel

The following Control Panel items may be removed from the list of items available for standard user access:

Microsoft.AdministrativeTools

Microsoft.AutoPlay

Microsoft.ActionCenter

Microsoft.ColorManagement

Microsoft.DefaultPrograms

Microsoft.DeviceManager

Microsoft.EaseOfAccessCenter

Microsoft.FolderOptions

Microsoft.iSCSIInitiator

Microsoft.NetworkAndSharingCenter

Microsoft.NotificationAreaIcons

Microsoft.PhoneAndModem

Microsoft.PowerOptions

Microsoft.ProgramsAndFeatures

Microsoft.System

Microsoft.TextToSpeech

Microsoft.UserAccounts

Microsoft.WindowsFirewall

Microsoft.WindowsUpdate

Microsoft.DateAndTime

Microsoft.RegionAndLanguage

Microsoft.RemoteAppAndDesktopConnections

Install Application On Remote Desktop Server

Java

Flash Player

Administrative Tools and PowerShell

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings.

Right click on File System, choose Add File.

In the Add a file or folder window, put %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools in the Folder field and click OK.

On the next window Database Security for%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk remove Users and check that Administrators have Full Access

On the Add Object window choose Configure this file or folder then Propagate inheritable permissions to all subfolders and files. Click OK.

Do the same for PowerShell shortcut (+ delete Creator Owner in database security): %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk

Do the same for Server Manager shortcut: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk