NT Gatekeeper: Restricting Access to Control Panel Applets

I want to restrict access to some or all of the Control Panel applets on machines running Windows NT Server or NT Workstation. Must I use system policies, or is another option available?

The System Policy Editor (SPE) contains two Control Panel—related settings that appear in the properties of user and group system-policy objects. The first setting—Restrict display—lets you restrict user access to the tabs of the Control Panel Display applet. The other setting—Remove folders from Settings on Start menu—lets you hide the Control Panel folder from a user's Start menu. Selecting this check box also hides the Printers folder on the Start menu.

If you want to restrict access to specific Control Panel applets, you can change the access control entries (ACEs) on the corresponding Control Panel extension file. All such files reside in the \%systemroot%\system32 folder and have a .cpl extension. To get a clear overview of these files, sort the content of the system32 folder by file type, then locate the files of type Control Panel extension. To change the ACEs, right-click the .cpl file and select Properties. Select the Security tab, and adjust the permissions as needed. Make sure that the System account keeps Full Control access. To automate this process, you can run cacls.exe from a logon or .bat script. For an overview of which .cpl file corresponds to which Control Panel applet, see the Microsoft article "HOWTO: Start a Control Panel Applet in Windows 95 or Later"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.