1.    18 Jul 2016 #1
    Join Date : Jul 2016
    Posts : 5
    Windows 10

    Locking down power option for non-admins in control panel

    We used to use Fortres Grand to lock down our Windows XP and 7 desktops and with Windows 10 I am trying to move away from it and rely mainly on the built-in windows security. I have mostly everything how I want it in the Windows 10 sysprep image I'm building except for the power option.

    First of all, I cannot figure out how to lock down the new "Immersive control panel" aka "System Settings" aka "systemsettings.exe" aka "PC Settings" ... I tried multiple methods of using AppLocker and failed. My next try was just going to be altering the security of the systemsettings.exe. Ideally I'd leave it open though and only lock down the things that I see as potentially causing a problem, which so far is mainly the power options.

    It would appear that standard users have the rights to change power options. It's hard to get a read on the internet whether or not this is normal as most searches on the topic refer to Windows XP, but if I log on as a standard user and change the sleep setting, for example, it applies to everyone. I can set the sleep setting in group policy and then it locks it down, but then if this build gets used on someone's assigned laptop (where we would give them administrator rights), they wouldn't be able to change the power options.

    The other problem I've run into with locking down the settings via group policy is it would appear I need to lock down *all* of the settings as standard non-admin users can also go into the advanced "power options" (powercfg.cpl) and change things like the "hard drive sleep" time. My current solution if I can't find a better one is going to be to lock down the settings available from the "immersive control panel" via group policy and then change the security options on powercfg.cpl. Seems ugly though.
      My System SpecsSystem Spec

  2.    18 Jul 2016 #2
    Join Date : Jun 2016
    Los Angeles
    Posts : 247
    Windows 10 Pro

    Use Group Policy Editor:
    Using Group Policy to Enforce Power Settings

    As you know, administrators can enforce specific settings using Group Policy in Windows Vista. This, of course, can be used to set power-related features, such as display and system sleep settings.
    The advantage of using Group Policy to configure power settings is that Windows Vista will use the values specified by Group Policy, preventing end users from changing the settings. If the user attempts to make a change, the Windows Vista Power Options Control Panel informs him that the selected power policies may not be changed because they are enforced by the administrator.
    While Windows Vista does let the user switch between power plans (such as battery saver and balanced), the administrator can use Group Policy to enforce specific settings within those power plans. Even if the user changes power plans, the Group Policy power setting is enforced.
    To enforce a power setting using Group Policy, use the Group Policy Management Console to edit a new or existing Group Policy Object (GPO). The power management policies are located in Power Management, under Computer Configuration | Administrative Templates | System | Power Management. Note that there are no power management policies under User Configuration in Windows Vista.
    Each power setting lets you specify separate values for when the computer is plugged-in (AC) or running on battery power (DC).
      My System SpecsSystem Spec

  3.    18 Jul 2016 #3
    Join Date : Jul 2016
    Posts : 5
    Windows 10

    Thank you for the reply, but I believe you missed much of my post because I already talked about my group policy experience.
      My System SpecsSystem Spec

  4.    21 Jul 2016 #4
    Join Date : Aug 2015
    Posts : 3
    Windows 10 Enterprise x64

    Instead of blocking the settings app, you could use powercfg to set appropriate security descriptors on the power schemes and actions. This way, you can ensure that the power settings cannot be changed from a standard user account regardless of the application doing it.

    For example,
    powercfg /SETSECURITYDESCRIPTOR 381b4222-f694-41f0-9685-ff5bb260df2e O:BAG:SYD:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;KA;;;CO)(A;CI;KR;;;AC)
    on my local account stops all of the settings from being changed for the Balanced power plan unless I elevate. Something similar could be done with the remaining plans and restricting ActionCreate would stop new plans from being created. My SDDL game is quite weak, but the one in that example is the default Windows 10 one, but I replaced the first "KRKW" with "KR" which there removes the write right and only allows members of the built-in Users group to just read the settings. Since members of the built-in Administrator group have full access (KA), this doesn't affect elevated users.
      My System SpecsSystem Spec


Similar Threads
Thread Forum
Difference in Control Panel\All Control Panel Items\Personalization
Good evening, I've noticed a difference in Control Panel\All Control Panel Items\Personalization between editions of Windows 10. My wife's laptop is running Windows 10 Home, and her personalization screen looks like this: 73873 I'm...
Blcok standard user from control panel locking admin out too..HELP!
Hi everyone first post here, and first time here as well. Thank you. I am trying to "lock down" standard user accounts from being able to use the control panel sop they cannot change settings on a shared work computer. I created the account and...
User Accounts and Family Safety
Solved switch user option on power option list or on start menu list
Can I use switch user option on power option list or on start menu list ?
User Accounts and Family Safety
Control Panel/Programs & Features/Power Options/System do not open
I installed an application "Clone File Checker" and uninstalled that using "iObit Uninstaller" with Power Unistall" option. After that, i am not able to open Control Panel, Programs & Features, Power Options and System from the Start Menu. Clicking...
General Support
control panel
I have 10130 and am surprised to still have the control panel, although the icon has changed. Has anyone still got theirs?
General Support
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 12:14.
Find Us
Twitter Facebook Google+

Windows 10 Forums