System Administrator Restrictions

Who is this Administrator?

You want to make a change to your operating system one day, like for example you want to use the registry editor to clean uninstall a program and instead of seeing the registry editor window, a message comes up and tells you that your Administrator has disabled registry editing:

Registry editing has been disabled by your administrator.

Now you are probably wondering who the heck is this Administrator and what is he doing disabling your registry. Last time you’ve checked you were the sole owner of the computer and you don’t remember making any changes that could have caused this.

Did a hacker become the owner of your machine without your knowledge?

If you are not using a corporate computer and you are suspecting this you are probably very close to the truth.

A windows restriction is also called group policy. The reason behind the naming is that Microsoft has created these settings to be able to manage permissions for large groups of users inside corporate networks through the Active Directory system.

Let’s take for example a company that has two main user categories: Sales and Technical Support. You want to protect the users in the Sales department from unintentionally harming their computer so you disable the use of the registry editor and the command prompt for their group. At the same time you know that the Technical Support people need the registry editor in their work so you leave the setting enabled for them.

Tip: If you are using XP Professional, Media Center or Windows Vista go to Start, click on Run (or press the Windows Key+R) and execute gpedit.msc. You will now discover a brand new universe of hundreds of settings that if you are technical enough and like to play with your computer, you’ll probably start using right away ;).

Windows XP Home edition users will not be able to use the gpedit.msc utility however they can still use the registry to add or remove group policy restrictions. These settings are located mainly in four registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\Software\Policies

 

If the registry editor has been disabled you can still use the reg command to bring it back like this:

reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies /f
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFolderOptions /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies /v "" /t REG_SZ /d ""