We are running NT 4.0 with Windows 95 workstations. Through our login script I am trying to control access to the Control Panel when a student logs on versus staff. When I run the script for the students, it indicates it has imported successfully and the control panel is not accessible. However, when I run the staff login, even though it indicates the import has run successfully and when I look at the registry the particular key for the control panel access has been changed to enable, it still says it is inaccessible when you try to access it. These are the keys used:
Disable control panel:[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
"NoDispCPL"="1"
To enable the control panel, I have a script with the same key except the value is 0 to enable.
Does anyone have any ideas why the Control Panel is still not accessible? I would appreciate any help!

Your logic is sound, but I believe that this reg key change requires a reboot to take effect. Unfortunately, that suggests that there is no straightforward way to accomplish your objective. The "brute force" approach seems like your only recourse--modify the script to rename the extensions to all .cpl files in the \windows\system folder to something innoculous, like .plc, and as an added precaution, move those files to some out-of-the-way folder (\sysbackup perhaps?)

Regards...

I work for a small school system and have the same issue

try running these edits in the NT login script
(note.... the login script runs before explorer loads, so the changes take effect without having to reboot)

also... the script that I have included does a little more than just get rid of the control panel... but use whatever parts of it you need
(I belive the "nosetfolders" is actually the only part that you need if you are only looking to get rid of the control panel)


FOR THE STUDENTS:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"NoDrives"=hex:00,00,00,00
"nofind"=dword:00000001
"norun"=dword:00000001
"nosetactivedesktop"=dword:00000001
"nosetfolders"=dword:00000001
"nonethood"=dword:00000001

FOR THE STAFF
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
"NoDrives"=hex:00,00,00,00
"nofind"=dword:00000000
"norun"=dword:00000000
"nosetactivedesktop"=dword:00000001
"nosetfolders"=dword:00000000
"nonethood"=dword:00000000

Thanks for the info. I will try it within the next day or so. Appreciate your help!

One question:

How are you implementing this? .reg files?

Would using policies (config.pol) instead produce a more customizable and controllable effect? This way you can have just one file that is read every time (put it in the netlogon share of the domain controllers), and you can define groups, individual users, and priority.

I admit, policies can be a bit flaky at times, but for what you're doing, they may be a better solution.





---
Joseph Volence
MCP & A+ certified
rocker6@earthlink.net

Yes, I'm using .reg files. We tried using the policy editor and config.pol, but flaky isn't the word for the problems we encountered! It was a nightmare so we scrapped that method of security. Thanks for your response!

This works, though I am a little mystified. I have set up the .reg file using all parameters you had to be executed in my login script. I get a message indicating the information has been successfully entered into the registry. The control panel is not accessible and network neighborhood is gone. However, when I go to that key, the only thing changed to (1) is nosetactivedesktop. Where is it pulling the changes from?
Maybe you can help with a couple of other things. Though the Control Panel is inaccessible, students can still right click on the desktop and change settings. Do you know a key that would prohibit them from access at the desktop?
Another problem we have is students deleting icons or renaming them. I've tried the NoSaveSettings, but it doesn't seem to work even after reboot. Any other ideas?
Thanks again for your help.

honestly... I never went back to check the registry settings after making the changes.... when everything worked as I wanted, I simply assumed the changes were made permanent

I actually have 3 levels of security currently in use. The student that I sent you IS used for the students, the Staff is actually used for the administrators, and teachers have yet to be set up. For the time being, the staff retains the settings of the last person to have logged onto the computer (student or admin)
(this is why I assumed the changed were made permanent... perhaps you will see the changes when you reboot ?)

All of the other security concearns (right-click, saving, renaming, etc...) are controlled by a security program named Fortres
It's a relatively inexpensive program that allows fairly good lockdown of workstations
Depending on the number of computers you are securing, it is probably in your best interrest to also get the "Central Control" software so that changes made on one workstation are pushed to all of the others.
You can get a trial of the software from www.fortres.com

I work for a school system and used an .inf file to change the registry for me. In the batch job to run the script, I executed the following line:

rundll32 {inf file path and name},InstallHinfSection DefaultInstall 132

and all of the registry updates installed.