The previous article already discussed about completely disable control panel access on a managed Windows computer to harden the security of computer settings. However, this restriction could give bad experience to the end users. Sometimes access to control panel is required for troubleshooting basic problems, but users won’t be able to do that without access to control panel. So, instead of completely disable control panel, administrator can just hide control panel items using Group Policy to limit what users can configure in control panel.
How to Hide Control Panel Items using Group Policy
There are two approach to secure control panel with this concept:
- Hide specified Control Panel items : this settings by default will show all control panel items except those the administrator choose to hide. This setting has higher precedence then the other setting that will be explained later, which means if both are configured at the same time, this setting will override the other one.
- Show only specified Control Panel items : this setting is more restrictive compared to the previous one, but still more permissive than completely disable control panel. By default this setting will hide all control panel items except those the administrator choose to show.
The example below will show how to hide some control panel items which are the on a client PC running Windows 10, joined to a domain named asaputra.com where the domain controller is running Windows Server 2012 R2. The chosen items to hide are “HomeGroup” and “Internet Options” which can be found in control panel under “Network and Internet” section.
1. Create a new GPO or edit an existing one
In this example, a new GPO named “Global Security” is created.
2. Find the setting to hide/show specified control panel items
Open up the editor window and go to User Configuration > Policy > Administrative Templates > Control Panel. Both configuration to hide or show specified control panel items are shown here.
3. Enable the setting to hide/show specified control panel items
The setting that fits the goal of this scenario is Hide specified Control Panel items. Select the setting and change the options to “Enabled”, then click on “Show” button as pointed out in the picture below,
4. Specify the items to be hidden/shown
Write the canonical name of the items to be hidden. You can refer to this canonical name guidance from Microsoft.
5. Verify result on the client computer
Apply the GPO to a user OU and watch it takes effect on the client computer as soon as group policy refreshed.
You can repeat the steps above by specifying the canonical name of other control panel items that you want to hide or show. With this way, administrator can hide control panel items that the user shouldn’t mess with, but still showing items that are useful or frequently needs to be changed.
Just remember that the “Show specified Control Panel items” setting has higher priority than “Hide specified Control Panel items” setting. The setting takes effect as soon as Group Policy refreshed on the client machine. This happens periodically but you can force it to be refreshed right away by using command gpupdate /force.
And that’s how to hide control panel items using Group Policy.