How to show or hide Control Panel items in Windows 7 using Group Policy

One of the common lock down’s that administrator apply to Remote Desktop Services Servers (a.k.a. Terminal Services (a.k.a. Citrix)) is to remove all but the essential control panel items.

Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.

Below I will explain the new way of configuring control panel items for Windows 7 and show you the affect that this has on the control panel.

Before you begin I recommend that you take a look at http://msdn.microsoft.com/en-us/library/ee330741(VS.85).aspx which lists all the Canonical names for the control panel items for Windows 7. You will need to know what CN of the item you want to restrict or allow.

Note: In this example we are only going to show the control panel items we want to see (white list) however if you use the Hide specified Control Panel items policy setting you can black list only the items you don’t want listed.

Step 1. Edit the Group Policy object that is applied to the users that you want to apply the Control Panel configuration.

Step 2. Navigate to User Configuration > Policies > Administrative Templates > Control Panel

Step 3. Double click on the Show only specified Control Panel items setting then check Enabled and then click then Show button.

image

Step 4. Now you have the Show Contents dialog box open  you need to visit the web site that list the names at Canonical Names of Control Panel Items and copy the Canonical name for the control panel item you want to display.

Paste the name into the value field enter the canonical name of the control panel item you want to show in the Value field and click OK.

image

You will now see that the only available control panel item is the Region and Language options (see below).

image

However this view is somewhat confusing for users as they can still click on the category but there are not items to display (see below).

image

To get around this problem also enable the Always open All Control Panel Items (a.k.a Force classic Control Panel) when opening Control Panel setting in the same GPO.

Note: This option is probably not needed if you used the Show only specified Control Panel setting instead.

image

Now when the users open control panel they will only see the specific control panel items you have allowed without the empty categories.

image

Author: Alan Burchill

Microsoft MVP (Group Policy)

14 thoughts on “How to show or hide Control Panel items in Windows 7 using Group Policy

  1. So if you need 1 policy that locks down both XP users and Win 7 users, you need to add both sets of entries to the GPO?

  2. Is there a document which specifically outlines why control panel items should be hidden? What is the security risk of leaving them exposed? If users are logging onto a Windows 7 workstation as a regular user, not a local admin, is it really necessary to hide control panel items? Can someone point me to a best practices or justification document for hidding control panel items?

  3. I use the “show only specific items” GPO. How can I enable the “igfxcpl.cpl” (Intel Extreme Graphics)? Using the filename doesn’t work.

  4. Hello. I want to know how can i show the Java control panel ítem with this GPO.
    Thank you very much.

Leave a Reply