If you need to lock down your client machines desktops and prevent your users from changing the wallpaper, then here’s a run through on how to do it.
Solution
1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted USERS or edit an existing one, then navigate to;
[box] User Configuration > Administrative Templates > Control Panel > Personalization [/box]
Locate “Prevent Changing Desktop Background”.
2. Set the policy to enabled, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.
3. Your users will no longer be able to select the “Desktop Background” link to change it.
4. If your users locate a picture on the internet they cannot select “Set as Background”.
5. If your users download a graphic and preview it, the option to “Set as desktop Background” is there but it no longer works.
My users can still “Set as Background” and “Set as desktop Background”
The above procedure works fine with Windows 7 and 2008, however some older versions of Windows still have access to these options. To fix that you need to lock active desktop then disable it.
If that’s the case, in addition to the above also do the following.
Did a migration of a school the other week, afterwards it seems the “little darlings” had discovered that they could (from the logon screen) access the “Ease of access” settings and enable “High Contrast”, which is obviously hilarious, but annoying for their teachers.
Ease of Access, is designed as part of the accessibility options, and as such has no GPO settings, (I’m assuming because a policy that excludes disabled people would not be the best of things in a modern society). However when these options start to harm productivity we need a mechanism to enable and disable them. (At least then we can enable them for only the people that need them).
Anyway, it took me ages to get it turned off, heres how to do it.
Solution
1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted COMPUTERS or edit an existing one, then navigate to:
2. Right click “File system” > Add File > Type in the following;
[box]C:WindowsSystem32Utilman.exe[/box]
3. Click OK > Add in the Everyone group > Deny the following, Read and Execute, List Folder Contents, and Read > Apply > Yes > “Replace existing permissions….” > OK.
4. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.
Related Articles, References, Credits, or External Links
A few weeks back I wrote about a client who was having problems with kids at his school launching the ease of access button from the login screen. And how I disabled the ease of access button.
High Contrast
After a site visit it seems that the “little darlings” had now worked out that by pressing “Alt+Shift+Print Screen” they could turn on high contrast. And this, which is obviously hilarious (once again), and annoying for their teachers, needs disabling.
As with the ease of access button, these options are designed for the disabled. So there is no mechanism for doing this. I had great fun working out how to do this via group policy.
2. This assumes your clients are Windows 7 if your client OS’s are earlier, you need to install the Client Side Extensions.
If you don’t have a 2008 domain, you can still disable these options via the registry, click here
If you want to import a Group Policy Object to do this, click here.
Solution
Disable Accessibility via Group Policy
Note: creating the policy is VERY time consuming and soul destroyingly boring! I’ve pre-written it for you download this file.
1. Once you have downloaded the file above, extract it to the desktop of your domain controller.
2. Launch the “Group Policy Management Console”.
3. Create a policy, and either link it to the domain or the OU that contains the users you want to enforce the policy on, (Or edit an existing policy).
4. Right click the policy you are working with, and select edit.
5. Right click the policy > Properties > Take note of the policy’s “Unique name”.
6. Now you need to locate the policy itself, click Start > in the search run box type:
[box]{your domain name}sysvol{your domain and extension}policies[/box]
e.g. My test domain ins domaina.com so the command I would use is domainasysvoldomaina.compolicies
7. Once there locate and open the folder that has the same unique name as the policy you noted down in step 5. Within that folder open the “User Folder. Then from the file you extracted above copy the “Preferences” Folder into the “User” Folder.
So now your policy will look like:
{CFE1314E-A13B-4E31-9EC5-FD9028D21945} Yours will have a different name! — Machine — User —- Preferences —— Registry ——– Registry.xml
8. That’s you finished. if you want to see what the policy is doing, go back the the Group Policy Management Console > Edit the policy and navigate to:
[box]User Configuration > Preferences > Windows Settings > Registry[/box]
There you will see all the registry keys that this policy resets (and I had to configure, one by one!).
Disable Accessibility via the Registry
1. Download this file containing the registry files, and extract it onto your target machine.
2. Within the extracted files you will find a folder called “Registry Keys”. There are two called AccessibilityOFF and AccessibilityON (As the name suggests, the fist disables the settings, and the second reinstates them). Simply double click them to merge them into the registry.
Disable Accessibility via Group Policy
Import the following file and save it with a .adm extension.
[box]
CLASS MACHINE
CLASS USER
CATEGORY "Control Panel"
CATEGORY "Accessibility Lockdown"
KEYNAME "SoftwarePoliciesAccessibility"
POLICY "Automatic Reset"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "TimeoutConfig"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "3"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "2"
END ACTIONLISTOFF
PART "Timeout after idle for" DROPDOWNLIST
REQUIRED
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "TimeToWait"
ITEMLIST
NAME "5 minutes"
VALUE "300000"
NAME "10 minutes"
VALUE "600000"
NAME "15 minutes"
VALUE "900000"
NAME "20 minutes"
VALUE "1200000"
NAME "25 minutes"
VALUE "1500000"
NAME "30 minutes"
VALUE "1800000"
END ITEMLIST
END PART
END POLICY
POLICY "Disable StickyKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "StickyKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "506"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "510"
END ACTIONLISTOFF
END POLICY
POLICY "Disable FilterKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "FilterKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "122"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable ToggleKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "ToggleKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
POLICY "Disable High Contrast (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "HighContrastLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "122"
VALUENAME "Pre-High Contrast Scheme"
VALUE ""
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable MouseKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "MouseKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
END CATEGORY
END CATEGORY
[/box]
Related Articles, References, Credits, or External Links