Disabling executables and .msc file using Group Policy Object

Neha Padole 41 Reputation points
2020-12-31T07:26:11.27+00:00

I want to disable following services -

52379-image.png

For files which are .exe, I created executable rules in Applocker Policy to deny .exes using path for users of the Domain User group as show in the image below.

52472-image.png

I have 2 questions -

  1. Commands like msconfig need administrator privileges to execute. After blocking msconfig in the GPO, if I execute it as any user of the Domain Users group, I get the following prompt to enter admin password as shown below. However I want the msconfig command to be blocked entirely for Domain Users group and do not want to be prompted to enter admin password. Is there someway to achieve it?
    List item
  2. How do disable/block services like azman.msc or certmgr.msc?
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,581 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,534 questions
{count} votes

Accepted answer
  1. Daisy Zhou 26,161 Reputation points Microsoft Vendor
    2021-01-01T03:43:07.057+00:00

    Hello @Neha Padole ,

    Thank you for posting here.

    Here are the answers for your references.

    1.Commands like msconfig need administrator privileges to execute. After blocking msconfig in the GPO, if I execute it as any user of the Domain Users group, I get the following prompt to enter admin password as shown below. However I want the msconfig command to be blocked entirely for Domain Users group and do not want to be prompted to enter admin password. Is there someway to achieve it?

    A1:We can try to use the Application Compatibility tools in the Windows Assessment and Deployment Kit to open the specified application so that the UAC settings will not pop up, but this method may need to be operated on a client by client basis and cannot be completed in batches.

    The specific operation process is as follows:

    1.Download the Windows Assessment and Deployment Kit toolkit.
    https://learn.microsoft.com/en-us/windows-hardware/get-started/adk-install

    2.The online installer is downloaded by default, you can install it directly, or download the offline installation package to the local.

    3.Only check "Application Compatibility tools" during installation, and complete the tool installation according to the wizard.
    52695-u1.png

    4.After the installation is complete, find the Compatibility Administrator shortcut from the start menu and open the application.

    5.In the left menu, select "New Database" under "Custom Databases", click the right mouse button, and then click "Create New-Application Fix" in turn.
    52623-u2.png

    6.In the pop-up Program information dialog box, enter the name of the application, the supplier, and the path information of the application.
    52696-u3.png

    7.Select "RunAsInvoker" in the Compatibility Modes dialog box, and other options remain unchanged.
    52697-u4.png

    8.Keep the Compatibility Fixes dialog box by default. In the Matching Information dialog box, only select "COMPANY_NAME" and "File_VERSION".
    52698-u5.png

    9.Keep other settings as default, click Next to complete the adding wizard.
    52724-u6.png

    10.Click the Save button on the software page, and select a location in the pop-up dialog box to save our changes to the database.
    52725-u7.png

    11.Select the database we just named, click File-Install in the menu, and apply the changes to the operating system.
    52673-u8.png

    12.After completion, when we open the application as a normal user again, the UAC dialog box will not pop up again.

    13.If all the clients have the same application version, we can copy the database from the previous computer to other computers after the tool is installed, and click the Open button in the menu bar to open and install the copied sdb file.

    14.Then click File-Install to apply to the specified client.

    2.How do disable/block services like azman.msc or certmgr.msc?

    A2:We can try the following GPO setting to see if it helps.

    User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\ and select the specific .msc you want.

    For more information, please refer to the link below.
    How can I restrict access to MMC snap-ins?
    https://www.itprotoday.com/windows-78/how-can-i-restrict-access-mmc-snap-ins

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.