disabling startup-program changes

There are many free tools that will remove Group Policy restrictions to not
run Task Manager, edit the registry, etc. I think Malwarebytes free tool
will check for and give you the option to remove such restrictions. It is
also possible to use PE boot to mount registry of another operating system,
edit, and dismount to remove any restrictions.

Steve


"Twayne" wrote in message
...
"VanguardLH" wrote in message

MoWrOw wrote:

...

Nope. Won't work. gpedit.msc merely gives you a hierarchical
structure to the registry entries used to record those policies. The
other admins can still use regedit.exe, reg.exe, or other registry
editors to undo those policies. In fact, with permission of the IT
dept., I put a .reg file in my Startup group (since I was in a domain
group for *local* administrators [so they can manage their own
hosts]) that undid the screensaver timeout policy they pushed onto my
host. As long as I can edit the registry, I can make whatever
changes I want there when logged under a local admin account.
gpedit.msc (and secpol.msc) are not the only means to modify the
registry to define policies there.

It could work, by simply removing the ability to edit the registry while
the other changes are being made.


Then it is always possible to image the OS partition when it is in the
state you want and undo everything anyone did on the host.

And lose any created data in the meantime.

You can also install another instance of Windows in another partition
(on the same or different drive than the default OS) and use that
instance to import the registry into regedit.exe, make your changes,
like to the policy settings, and put the registry files back on the
slave drive. Or haul the hard disk with the OS on it to another host
running Windows and import the registry to that instance of Windows.

And double the cost of licenses. Every instance of the OS requires a
license; that would make 2 per machine.

You're a god only in your mind. The only ones that will bow to you
are those that enjoy receiving a rim job from you.

Twayne wrote:

"VanguardLH" wrote in message

MoWrOw wrote:

...

Nope. Won't work. gpedit.msc merely gives you a hierarchical
structure to the registry entries used to record those policies. The
other admins can still use regedit.exe, reg.exe, or other registry
editors to undo those policies. In fact, with permission of the IT
dept., I put a .reg file in my Startup group (since I was in a domain
group for *local* administrators [so they can manage their own
hosts]) that undid the screensaver timeout policy they pushed onto my
host. As long as I can edit the registry, I can make whatever
changes I want there when logged under a local admin account.
gpedit.msc (and secpol.msc) are not the only means to modify the
registry to define policies there.

It could work, by simply removing the ability to edit the registry while
the other changes are being made.

Then you use password crackers to log under the Administrator account to
gain access to the registry. In fact, there are commercial programs
that specifically address getting into a Windows host, like after
termination of an employee who refuses or cannot be reached to get their
password or the company isn't interested in pursuing a property and data
theft lawsuit against the ex-employee.

Then it is always possible to image the OS partition when it is in the
state you want and undo everything anyone did on the host.

And lose any created data in the meantime.

And your point? The OP never stated that any changes made to the host's
disk(s) after its initial image had to be retained. In fact, if the
helpdesk cannot resolve the problem, often they'll just re-image your
host.

You can also install another instance of Windows in another partition
(on the same or different drive than the default OS) and use that
instance to import the registry into regedit.exe, make your changes,
like to the policy settings, and put the registry files back on the
slave drive. Or haul the hard disk with the OS on it to another host
running Windows and import the registry to that instance of Windows.

And double the cost of licenses. Every instance of the OS requires a
license; that would make 2 per machine.

In an environment as described, you think this will be the only host
running Windows in the entire company? Puh-lease.