Prevent Users changing Desktop Wallpaper with Group Policy

KB ID 0000461 

Problem

If you need to lock down your client machines desktops and prevent your users from changing the wallpaper, then here’s a run through on how to do it.

Solution

1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted USERS or edit an existing one, then navigate to;

[box] User Configuration > Administrative Templates > Control Panel > Personalization [/box]

Locate “Prevent Changing Desktop Background”.

2. Set the policy to enabled, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

3. Your users will no longer be able to select the “Desktop Background” link to change it.

4. If your users locate a picture on the internet they cannot select “Set as Background”.

5. If your users download a graphic and preview it, the option to “Set as desktop Background” is there but it no longer works.

My users can still “Set as Background” and “Set as desktop Background”

The above procedure works fine with Windows 7 and 2008, however some older versions of Windows still have access to these options. To fix that you need to lock active desktop then disable it.

If that’s the case, in addition to the above also do the following.

1. On the policy you edited above, navigate to;

[box] User Configuration > Administrative Templates > Desktop > Desktop [/box]

Locate “Desktop Wallpaper”.

2. Enable the policy > Set the wallpaper name to ??? (a value that does not exist) > Set the wallpaper style to Stretch.

3. On the policy you edited above, navigate to;

[box] User Configuration > Administrative Templates > Desktop > Desktop [/box]

Locate “Disable Active Desktop”.

4. Set it to enabled, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

NA

Disable High Contrast with Group PolicyDisable Accessibility Options with Group Policy

KB ID 0000472 

Problem

A few weeks back I wrote about a client who was having problems with kids at his school launching the ease of access button from the login screen. And how I disabled the ease of access button.

High Contrast

After a site visit it seems that the “little darlings” had now worked out that by pressing “Alt+Shift+Print Screen” they could turn on high contrast. And this, which is obviously hilarious (once again), and annoying for their teachers, needs disabling.

As with the ease of access button, these options are designed for the disabled. So there is no mechanism for doing this. I had great fun working out how to do this via group policy.

Caveats

1. This uses Group Policy Preferences, so your domain needs to be at least 2008.

2. This assumes your clients are Windows 7 if your client OS’s are earlier, you need to install the Client Side Extensions.

If you don’t have a 2008 domain, you can still disable these options via the registry, click here

If you want to import a Group Policy Object to do this, click here.

Solution

Disable Accessibility via Group Policy

Note: creating the policy is VERY time consuming and soul destroyingly boring! I’ve pre-written it for you download this file.

1. Once you have downloaded the file above, extract it to the desktop of your domain controller.

2. Launch the “Group Policy Management Console”.

3. Create a policy, and either link it to the domain or the OU that contains the users you want to enforce the policy on, (Or edit an existing policy).

4. Right click the policy you are working with, and select edit.

5. Right click the policy > Properties > Take note of the policy’s “Unique name”.

6. Now you need to locate the policy itself, click Start > in the search run box type:

[box]{your domain name}sysvol{your domain and extension}policies[/box]

e.g. My test domain ins domaina.com so the command I would use is domainasysvoldomaina.compolicies

7. Once there locate and open the folder that has the same unique name as the policy you noted down in step 5. Within that folder open the “User Folder. Then from the file you extracted above copy the “Preferences” Folder into the “User” Folder.

So now your policy will look like:

{CFE1314E-A13B-4E31-9EC5-FD9028D21945} Yours will have a different name! — Machine — User —- Preferences —— Registry ——– Registry.xml

8. That’s you finished. if you want to see what the policy is doing, go back the the Group Policy Management Console > Edit the policy and navigate to:

[box]User Configuration > Preferences > Windows Settings > Registry[/box]

There you will see all the registry keys that this policy resets (and I had to configure, one by one!).

Disable Accessibility via the Registry

1. Download this file containing the registry files, and extract it onto your target machine.

2. Within the extracted files you will find a folder called “Registry Keys”. There are two called AccessibilityOFF and AccessibilityON (As the name suggests, the fist disables the settings, and the second reinstates them). Simply double click them to merge them into the registry.

Disable Accessibility via Group Policy

Import the following file and save it with a .adm extension.

[box]

CLASS MACHINE
CLASS USER
CATEGORY "Control Panel"
CATEGORY "Accessibility Lockdown"
KEYNAME "SoftwarePoliciesAccessibility"
POLICY "Automatic Reset"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "TimeoutConfig"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "3"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "2"
END ACTIONLISTOFF
PART "Timeout after idle for" DROPDOWNLIST
REQUIRED
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "TimeToWait"
ITEMLIST
NAME "5 minutes"
VALUE "300000"
NAME "10 minutes"
VALUE "600000"
NAME "15 minutes"
VALUE "900000"
NAME "20 minutes"
VALUE "1200000"
NAME "25 minutes"
VALUE "1500000"
NAME "30 minutes"
VALUE "1800000"
END ITEMLIST
END PART
END POLICY
POLICY "Disable StickyKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "StickyKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "506"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "510"
END ACTIONLISTOFF
END POLICY
POLICY "Disable FilterKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "FilterKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "122"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable ToggleKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "ToggleKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
POLICY "Disable High Contrast (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "HighContrastLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "122"
VALUENAME "Pre-High Contrast Scheme"
VALUE ""
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable MouseKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "MouseKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
END CATEGORY
END CATEGORY

[/box]

Related Articles, References, Credits, or External Links

NA