Pause Group Policies


This utility allows one to pause group policies, so that an admin can work on a locked-down machine under a user's id. In most cases, locked-down items will include tools such as system configuration tools and registry editing. Logging in as a local admin to make the change is time consuming, and more disruptive of the user than necessary. Moreover, the HKCU (HKey Current User) hive of the registry, which contains the user's settings, is only accessible when logged in as the user. To look at that key would involve changing the user to a local admin and then having them log out and back in to refresh the policies, and then reversing the process when finished. By using this utility an admin can temporarily suspend the Group Policies, make the changes, and then resume them, without undue disruption. There is no configuration involved.

To use:

Just run the executable. It will ask for the password of the local "Administrator" account, and then run itself as Administrator. It then makes a backup of the current Group Policies and then sets the current policies back to the Windows XP defaults. A notification is left on the screen to click 'OK' when finished. When the admin is finished, clicking 'OK' will reset the policies back to the state prior to running the utility.

4-13-06 Update I've removed the DOS window, added some prettier errors, and allow four attempts at entering the password before it bails. Below is some corrected information for the tool post, with items removed that are no longer applicable.

Things you should know:

A .dll file will be extracted to the directory that the utility is run
from, if it is not already there.

The utility will run only on Windows XP (and maybe 2000, though it
hasn't been tested on that platform).

PausePol.exe must be run from a locally accessible drive. Hard drive,
floppy, usb, etc. It can't be run from a network volume, as
"Administrator" most likely has no network rights. I have pushed it via
ZEN to the System32 directory on all of our machines.

FYI - As I'm sure the kids already know, if the user has write access
to System32, or to the GroupPolicy folders, they can already do this
manually. You need to make sure those directories are locked down to
Read/Execute for those users. If they have the "Administrator" password
already, the jig is up as well. But all things being typical, this is a
very quick, convenient, and SECURE way of pausing Group Policies."


Comment List