Q:How to use Software Restriction policy to prevent end users from running the Power Management control panel applet.

A:Software Restriction is also called Safer and it is a function with Windows Shell (Shell32.DLL). When Windows Explorer tries to launch a program, before really calling CreateProcess(), Shell would first check the program is restricted by the Safer policy. Here, the program is the image name of the process. When we run powercfg.cpl, actually the real program name is Control.exe and powercfg.cpl is just a parameter of the program. Therefore, disabling only powercfg.cpl with Safer won’t work.

Since disabling control.exe will cause the end users fail to run all other control panel applets, you may consider using a domain policy (linked to the OU where those target computer objects reside) and then setup a File System security policy and configure the permissions to Deny Access for those end users.

1) Create or edit an existing GPO linked to the OU where those computers accounts reside

2) Find the following policy:

Computer ConfigurationWindows SettingsSecurity SettingsFile System

3) Right click and select Add File.

4) Leave the current permissions unchanged. Add a new permission assignment. Enter the user group which contains all those target end users. Select Deny for all Access.

5) Apply the changes.

6) Wait for the policy to take effect on client computers.

7) Now those end users should not be able to launch the Power Options applet.

Comments (0)