We used to use Fortres Grand to lock down our Windows XP and 7 desktops and with Windows 10 I am trying to move away from it and rely mainly on the built-in windows security. I have mostly everything how I want it in the Windows 10 sysprep image I'm building except for the power option.
First of all, I cannot figure out how to lock down the new "Immersive control panel" aka "System Settings" aka "systemsettings.exe" aka "PC Settings" ... I tried multiple methods of using AppLocker and failed. My next try was just going to be altering the security of the systemsettings.exe. Ideally I'd leave it open though and only lock down the things that I see as potentially causing a problem, which so far is mainly the power options.
It would appear that standard users have the rights to change power options. It's hard to get a read on the internet whether or not this is normal as most searches on the topic refer to Windows XP, but if I log on as a standard user and change the sleep setting, for example, it applies to everyone. I can set the sleep setting in group policy and then it locks it down, but then if this build gets used on someone's assigned laptop (where we would give them administrator rights), they wouldn't be able to change the power options.
The other problem I've run into with locking down the settings via group policy is it would appear I need to lock down *all* of the settings as standard non-admin users can also go into the advanced "power options" (powercfg.cpl) and change things like the "hard drive sleep" time. My current solution if I can't find a better one is going to be to lock down the settings available from the "immersive control panel" via group policy and then change the security options on powercfg.cpl. Seems ugly though.
Use Group Policy Editor:
Using Group Policy to Enforce Power Settings
As you know, administrators can enforce specific settings using Group Policy in Windows Vista. This, of course, can be used to set power-related features, such as display and system sleep settings.
The advantage of using Group Policy to configure power settings is that Windows Vista will use the values specified by Group Policy, preventing end users from changing the settings. If the user attempts to make a change, the Windows Vista Power Options Control Panel informs him that the selected power policies may not be changed because they are enforced by the administrator.
While Windows Vista does let the user switch between power plans (such as battery saver and balanced), the administrator can use Group Policy to enforce specific settings within those power plans. Even if the user changes power plans, the Group Policy power setting is enforced.
To enforce a power setting using Group Policy, use the Group Policy Management Console to edit a new or existing Group Policy Object (GPO). The power management policies are located in Power Management, under Computer Configuration | Administrative Templates | System | Power Management. Note that there are no power management policies under User Configuration in Windows Vista.
Each power setting lets you specify separate values for when the computer is plugged-in (AC) or running on battery power (DC).
Thank you for the reply, but I believe you missed much of my post because I already talked about my group policy experience.
Instead of blocking the settings app, you could use powercfg to set appropriate security descriptors on the power schemes and actions. This way, you can ensure that the power settings cannot be changed from a standard user account regardless of the application doing it.
For example,on my local account stops all of the settings from being changed for the Balanced power plan unless I elevate. Something similar could be done with the remaining plans and restricting ActionCreate would stop new plans from being created. My SDDL game is quite weak, but the one in that example is the default Windows 10 one, but I replaced the first "KRKW" with "KR" which there removes the write right and only allows members of the built-in Users group to just read the settings. Since members of the built-in Administrator group have full access (KA), this doesn't affect elevated users.Code:powercfg /SETSECURITYDESCRIPTOR 381b4222-f694-41f0-9685-ff5bb260df2e O:BAG:SYD:P(A;CI;KR;;;BU)(A;CI;KA;;;BA)(A;CI;KA;;;SY)(A;CI;KA;;;CO)(A;CI;KR;;;AC)