Access Denied: Disabling Group Policy

I've heard about a registry setting that local users can configure to prevent their computers from applying security settings and other restrictions that we've defined in Group Policy. Does such a setting exist? Could users use other techniques to disable Group Policy?

You're referring to a registry value that existed in a beta version of Windows 2000. The setting was a REG_DWORD value under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System registry subkey; the value was called DisableGPO and set to 1. However, this tweak has no effect on the final release of Windows XP or Win2K. The computer always applies Group Policy whether or not this value exists.

With regard to other techniques by which users could circumvent Group Policy, no methods have been published. I've tested some likely methods, but I've never succeeded in disabling Group Policy even when using the local administrator account. For example, the most obvious possible method for disabling Group Policy is deleting the program that applies it—gpupdate.exe on XP or secedit.exe on Win2K. But deleting these files simply causes Windows File Protection (WFP) to replace them.

I've also tried to deny everyone access to these files. Doing so prevents me from refreshing Group Policy manually but doesn't stop the system from applying Group Policy, including changes made to Group Policy after I denied access to secedit.exe or gpupdate.exe. Group Policy is deeply embedded in the OS and can't easily be circumvented by users or local administrators.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.