Hello @Neha Padole ,
Thank you for posting here.
Here are the answers for your references.
1.Commands like msconfig need administrator privileges to execute. After blocking msconfig in the GPO, if I execute it as any user of the Domain Users group, I get the following prompt to enter admin password as shown below. However I want the msconfig command to be blocked entirely for Domain Users group and do not want to be prompted to enter admin password. Is there someway to achieve it?
A1:We can try to use the Application Compatibility tools in the Windows Assessment and Deployment Kit to open the specified application so that the UAC settings will not pop up, but this method may need to be operated on a client by client basis and cannot be completed in batches.
The specific operation process is as follows:
1.Download the Windows Assessment and Deployment Kit toolkit.
https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install
2.The online installer is downloaded by default, you can install it directly, or download the offline installation package to the local.
3.Only check "Application Compatibility tools" during installation, and complete the tool installation according to the wizard.
4.After the installation is complete, find the Compatibility Administrator shortcut from the start menu and open the application.
5.In the left menu, select "New Database" under "Custom Databases", click the right mouse button, and then click "Create New-Application Fix" in turn.
6.In the pop-up Program information dialog box, enter the name of the application, the supplier, and the path information of the application.
7.Select "RunAsInvoker" in the Compatibility Modes dialog box, and other options remain unchanged.
8.Keep the Compatibility Fixes dialog box by default. In the Matching Information dialog box, only select "COMPANY_NAME" and "File_VERSION".
9.Keep other settings as default, click Next to complete the adding wizard.
10.Click the Save button on the software page, and select a location in the pop-up dialog box to save our changes to the database.
11.Select the database we just named, click File-Install in the menu, and apply the changes to the operating system.
12.After completion, when we open the application as a normal user again, the UAC dialog box will not pop up again.
13.If all the clients have the same application version, we can copy the database from the previous computer to other computers after the tool is installed, and click the Open button in the menu bar to open and install the copied sdb file.
14.Then click File-Install to apply to the specified client.
2.How do disable/block services like azman.msc or certmgr.msc?
A2:We can try the following GPO setting to see if it helps.
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\ and select the specific .msc you want.
For more information, please refer to the link below.
How can I restrict access to MMC snap-ins?
https://www.itprotoday.com/windows-78/how-can-i-restrict-access-mmc-snap-ins
Hope the information above is helpful.
Best Regards,
Daisy Zhou