It is an excellent and sometimes mandatory security configuration to block unauthorized users’ access to the Control Panel and PC settings using Group Policy. You may already know how powerful the Control Panel and PC settings are on a Windows computer. Users can do almost every bit of configuration if they have access to these tools. Unauthorized access to these two tools may result in messing up your computer configuration and settings. So to avoid the consequences of unnecessary access to the Control Panel and PC Settings, you should block specific users’ access to these tools.
You can prohibit users’ access to PC Settings and Control Panel for a standalone computer, such as a standalone Windows 11 and 10 computer, and for a group of users joined to an Active Directory (AD) network. We often use such security settings and limitations for domain users while they are also available and helpful for a standalone computer too.
For both the standalone PC and AD network environment, you use the Group Policy to prohibit access to the Control Panel and PC Settings. On a standalone Windows PC, you use the Local Group Policy settings, which are available on all editions of Windows clients except the Home edition. For the AD users, you use the Group Policy Management capability on the Domain Controller Machine to create GPO, configure the policy, and apply it to the target AD users.
With this overview said, this article discusses how you can block users’ access to Control Panel and PC settings both on a standalone computer and in an Active Directory environment. The article covers each one in a separate section as the followings.
RELATED: Group Policy Management in Windows Server: Fundamental Concepts and Skills
Block Access to Control Panel and PC Settings for AD Users: Windows Server 2022
To prevent access to the Control Panel and PC Settings for a collection of users in Active Directory, you should create a GPO on your Domain Controller (DC) machine, configure the GPO to disable the Control Panel and PC Settings, and apply it to the AD Organizational Unit (OU) that contains your target users. So, the prerequisite is configuring your OU to include the target users. Then, follow the below steps to set and apply the GPO.
- Open the Group Policy Management Console on your DC. To do so, search for it in the Start Menu or use
gpmc.mscin the Run utility. - On the GPMC, right-click the Group Policy Objects and click New.
- Put a meaningful name for your GPO and click OK.
- Right-click your new GPO and click Edit.
- On the GPME window, navigate to User Configuration -> Policies -> Administrative Templates and click Control Panel. Then, open Prohibit access to Control Panel and PC settings on the right pane.
- On the Group Policy Settings window, check out the Enabled radio button. Then, click OK to save.
- Close the GPME window.
- On the GPMC window, locate the OU or any AD object to which you want to apply the GPO (Sales OU in my example). Then, right-click it and select Link an Existing GPO.
- Select the GPO from the list and click OK.
That is all about creating a GPO in Windows Server-based Domain Controller to block AD users from accessing the Control Panel and PC Settings. Next, see the below section to verify it.
Verify the Above Group Policy Setting for an AD User Account
By default, Active Directory Group Policy settings apply after every 90 minutes or after you restart the PC that gets affected by the Group Policy. This is called Group Policy background refresh. You can manually force the computers to get the Group Policy setting urgently after applying the Group Policy. This is called foreground refresh of the Group Policy.
To see if the above configuration affected the target users, you should perform a foreground refresh for the user account to which you applied the Group Policy setting. To do so, log in with an AD user account which is a member of the OU to which you applied the Group Policy object. Then, use the gpupdate /force command in the Run utility, Command Prompt, or PowerShell to refresh the Group Policy. After the Group Policy refresh is completed, try to open the Control Panel. If you have set the Group Policy Correctly, the user should face the error in the below picture while opening the Control Panel.
Also, if you try to open the PC Settings, you won’t be able to. The PC Settings window gets closed automatically.
Block Access to Control Panel and PC Settings in Windows 11 and 10
As mentioned earlier, you can block users’ access to Control Panel and Windows Settings on a standalone Windows 11 and 10 PC using Local Group Policy. Note that the Group Policy is not available on the Home edition of Windows 11 and 10. So, you should own at least a pro edition to configure this setting on Windows 11 and 10.
When you block Control Panel and PC Settings on a Windows 11 and 10 computer, users can not access them. They face an error while trying to open the Control Panel. The PC Settings also doesn’t come up if a user tries to open it. The effect is the same as in the above section, which was for AD users in an AD environment.
That said, walk through the below steps.
- Press the Windows + R keys to open Run.
- Type
gpedit.mscin the Run dialogue box and hit enter to open the Local Group Policy Editor (GPME) console.
- On the GPME window, expand User Configuration -> Administrative Templates and select the Control Panel. Then, open the Prohibit access to Control Panel and PC settings policy on the right pane.
- Choose Enabled on the policy configuration window and click OK to save.
- Exit the GPME window.
You need to force refresh the Group Policy if you want to apply it urgently after setting it. Else, it will apply after a background refresh (90 minutes or computer restart). To force update the Group Policy, run the gpupdate /force command in the Run, Command Prompt, or Windows PowerShell.
Once applied, you can not access the Control Panel and PC Settings on your standalone Windows 11 and 10 PC. Anytime you want to cancel this policy, you should go to the related policy in the GPME window and Disable it, as you enabled in the above steps.
Wrap Up
Blocking users’ access to Control Panel and PC settings is an excellent security policy both for a standalone PC and domain-joined computers. Fortunately, you can easily prohibit access to these two powerful tools using Group Policy for both standalone computers and AD computers.
So far, this article has discussed in detail how to block certain AD users’ access to Control Panel and PC settings by creating a GPO and applying it to AD users. The article also discussed how to force update the Group Policy. Lastly, the article covered the procedure to block Access to Control Panel and PC settings on a standalone Windows 11 and 10 computer.
I hope you enjoy reading this guide and find it helpful. Make sure to put your questions and thoughts in the comment. Also, to support our writings, share our guides with your friends and colleagues. Thank you.
