Guide: How to disable Group Policy Client for Windows 7

(WARNING: This guide is for experienced users only, and you are at your own risk patching Windows system files!)

In some certain circumstances you may want to disable Group Policy Client Service, especially when you have to join a domain where the domain administrator has set some really annoying policies. (e.g. lock your Start Menu & Task Bar configurations.)

This guide can help you disable the Group Policy Client Service completely for Windows 7.

<> Step1: Prevent Group Policy Service from running.

1. Log on Windows as Administrator.
2. Run “regedit.exe”.
3. Locate key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gpsvc”.
4. Right click -> Permissions -> Advanced, first change the owner to yourself, then grant Administrators full control.
5. Change the value of “Start” from “2” to “4”.

Now next time you reboot your system, Group Policy Client Service will not run. But don’t hurry to reboot your system so soon, because whenever Windows finds out that Group Policy Client Service is not running, it will prevent all Standard Users from logging on. Even if you log on as Administrator, Windows will pop up an error notification complaining “Failed to connect to a windows service” every time (As shown in the following figure). So you still need to do Step 2.


<> Step 2: Patch “winlogon.exe” file to eliminate error notification and enable Standard User to log on Windows.

PS: You should gain the ownership and full control of file “C:\Windows\System32\winlogon.exe” first before you can do all the work below.

1. Log on Windows as Administrator.
2. Copy “C:\Windows\System32\winlogon.exe” to another place. (e.g. X:\)
3. Apply the GPC patch (link supplied below) to copied “X:\winlogon.exe”.
4. Rename the original file “C:\Windows\System32\winlogon.exe” to another name. (e.g. winlogon_original.exe)
5. Copy the patched file from “X:\winlogon.exe” to “C:\Windows\System32\winlogon.exe”.

[2012-05-31 Update]
There is a much simpler way to do Step 2, without patching Windows system file at all.

<> New Step 2: Edit Registry to eliminate error notification and enable Standard User to log on Windows.

1. Log on Windows as Administrator.
2. Run “regedit.exe”.
3. Locate key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\GPClient”.
4. Right click -> Permissions -> Advanced, first change the owner to yourself, then grant Administrators full control.
5. Delete this key. (Before deleting you can export this key to make a backup.)

Finally everything is taken care of, now it is the time to reboot your system and enjoy the freedom without constraints from Group Policy! BTW: Remember to keep a low profile, and don’t let your Domain Admin find out! :P


教程:如何徹底禁用 Windows 7 的 Group Policy Client 服務

(警告:本教程僅供有經驗的用戶參考,擅自修改 Windows 系統文件的風險自負!)

在有些情況下你可能想要禁用 Group Policy Client 服務,尤其是當你不得不加入某個域,而這個域的管理員卻設置了比較討厭的 Policy 的時候。(譬如:強制鎖定了你的開始菜單和任務欄的設置。)

本教程可以幫助你徹底禁用 Window 7 的 Group Policy Client 服務。

<> 步驟1:阻止 Group Policy Client 運行。

1. 用管理員賬號登錄 Windows。
2. 運行 “regedit.exe”。
3. 找到鍵值 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\gpsvc”。
4. 單擊鼠標右鍵 -> 權限 -> 高級,首先把所有者改為你自己,然后給管理員賬號賦予完全控制的權限。
5. 把 “Start” 的值從 “2〞 改成 “4〞。

到這里,下次你重啟系統之后 Group Policy Client 服務將不會再運行。但現在不要著急重啟系統,因為一旦  Windows 發現 Group Policy Client 服務沒有運行,Windows 將阻止所有普通用戶登錄。即使你使用管理員賬號登錄,Windows 也會每次都彈出一個錯誤通知 :”Failed to connect to a windows service”(如下圖所示)。所以你還需要完成步驟2。


<> 步驟2:給 “winlogon.exe” 打補丁,以去除登錄時彈出的錯誤通知,同時使得普通用戶也能夠登錄 Windows。

注意:完成以下工作之前,你需要先獲得文件 “C:\Windows\System32\winlogon.exe” 的所有權和完全控制權。

1. 用管理員賬號登錄 Windows。
2. 拷貝 “C:\Windows\System32\winlogon.exe” 到其他地方。(譬如:X:\)
3. 對拷貝出來的 “X:\winlogon.exe” 打 GPC 補丁(補丁鏈接見后)。
4. 將原文件 “C:\Windows\System32\winlogon.exe” 改為其他名字。(譬如:winlogon_original.exe)
5. 把打好補丁的 “X:\winlogon.exe” 拷貝到 “C:\Windows\System32\winlogon.exe”。

[2012-05-31 更新]
這裡提供一個更簡便的方法來完成步驟2,而無需對 Windows 系統文件打補丁。

<> 新步驟2:編輯註冊表,以去除登錄時彈出的錯誤通知,同時使得普通用戶也能夠登錄 Windows。

1. 用管理員賬號登錄 Windows。
2. 運行 “regedit.exe”。
3. 找到鍵值 “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\GPClient”。
4. 單擊鼠標右鍵 -> 權限 -> 高級,首先把所有者改為你自己,然后給管理員賬號賦予完全控制的權限。
5. 刪除此鍵值。(在刪除前你可以先導出此鍵值做做一個備份。)

至此,所有的工作都已處理完畢,趕緊重啟系統,自由使用去除了 Group Policy Client 強制約束的 Windows 吧!此外,記住一定要低調,不要讓你的域管理員發現哦! :P


Win7 GPC x64 (64 bit) Patch Download:
http://ayuanx.webs.com/patch/GPC_Win7_x64_Patch.rar
Win7 GPC x86 (32 bit) Patch Download:
http://ayuanx.webs.com/patch/GPC_Win7_x86_Patch.rar

Advertisements

About AyuanX

Big Brother is watching you! Yes, you!
This entry was posted in 個人用途 and tagged , . Bookmark the permalink.

37 Responses to Guide: How to disable Group Policy Client for Windows 7

  1. DD says:

    Thank you for this tip.

    Will this work for Windows 7 x32, too? I’ve tried to run your patch against my winlogon.exe, but it says “nothing patched” (and the file doesn’t look modified)… :-/

    • AyuanX says:

      Unfortunately it doesn’t work for Win7 32bit, because I don’t have a 32bit version installed.
      I recommend you install the 64bit version if you have 4GB (or more) memory to fully utilize the capaciy.

  2. DD says:

    Thank you. Unfortunately, we are in a VM environment here, and capacity is limited… :-(

  3. Pingback: Forum Rules(Sig Rule updated)

  4. Emil says:

    hi,

    i have to use windows 7 32bit version…. if i send u the winlogon.exe file for 32bit can you pach it for me too? please!

    thanks in advance

  5. emil says:

    i’ll try it and tell u later about the result
    thanks a lot for ur fast patch :)

  6. emil says:

    all ok since now :)
    cheers

  7. emil says:

    i have administrator rights on the account used. also i know for sure that i had access to the firewall settings because before i installed the patch i did set up some rules (like drop icmp, remote access from an unique ip etc)
    if u want me to do some test i’m ready – just say what to do :)

  8. emil says:

    Unfortunately I’m not so good as u to this (meaning i know stuff about windows), but I can’t modify files or figure out things so deep in the registry like you…..

  9. emil says:

    hi again,

    i can tell u the patch is working excellent (no problem until now) except the firewall part
    thanks a lot

  10. Steve says:

    You are a moron for providing this information for the reasons you give. Do you think companies emply network administrators to hinder you? No. They employ them to make systems work as smoothly as possible for everyone’s, including your, benefit.
    Well done – so you can now access teh control panel and mess around with your start menu, but what about the less obvoius group policies that may be applied to configure essential settings for applications you need, or changes required to ensure that critical updates are applied? Its arrogant beyond belief to think that you have the right, and that you should mess around with your employer’s property and a destructive manner because you don’t understand or agree with the way they run things.

    • AyuanX says:

      Thank you for your opinion. Appreciate it. Mr. Administrator.

    • Wayne says:

      Sorry, but any network admin who complains about this is a moron. For the simple fact that you need to have been given admin access on the machine in the first place. And you are wrong, lazy, incompetent, and arrogant network admins who have no business sense do not care if they hinder users or reduce productivity. I especially hate dickheads who think they are being ultra secure by making everyone change their passwords each month, or those bastards who like to make themselves look good on paper by buying the shittiest cheap computers even for power users.

  11. hedwig says:

    Hi, thanks for the amazing post. I have a question which may or may not be related to this post. Is it possible to prevent domain admins from automatically installing stuff on Windows 7 client?

  12. Joven says:

    yeah, agree with steve, the authors is a moron, don’t know anything, does he think domain admin will let idiot like him run unwanted policy/services (regedit, gpedit…etc…) or messing the system.

    ehehehhe…”/ peace

    • francis says:

      Seriously. GPO is for lazy sysadmins who want every machine to be the same. Makes their job easier and end users job much harder. Meanwhile they’re using sleek customized rigs – hypocritical. Come on guys.

  13. VermeersBeard says:

    No, Steve & Joven, you are the idiots for thinking you can lock down your network and clients when the client machine is physically in the hands of your users. Your data is already “out there” and the client device is already owned. Users use DropBox, GMail, SalesForce.com, etc. to get their work done and to live and work their way. Same reason they will use this. If you try to control people into a corner where they can’t work and live their way, they’ll leave your arena and leave you alone with no users and then no job. Remember, we work for the users and technology is to serve them. When control freak admins go too far, tweaks like this emerge and can’t be kept back.

    Thanks, AyuanX I salute you for spreading the word! Oh, by the way, ever hear of Brain Madden (BrianMadden.com)? He also says this same stuff… You think your little Windows Domain is secure and GPO’s are the God Power? Nope, your users are already ahead of you… it’s as easy as using Google!

  14. Johnnie says:

    Y’know, there is an easier way…. Just take ownership of %SystemRoot%\system32\gpsvc.dll, give yourself all rights and then rename the file. You probably want to retain some of the original name and make it obvious the file has been renamed but, after that, you don’t have to make any registry changes, etc.. The Group Policy Client service will still say that it is started automatically, but it will also indicate that it hasn’t started. Mission accomplished!

  15. Aneno says:

    Thank you AyuanX so much for this post. But what about windows xp (sp3) client?!!
    Is it the same process ??

  16. Aneno says:

    There is no gpsvc key in windows xp. So please… what should I do??

  17. Kiwi says:

    Hi,
    The GPC_Win7_x64_Patch.rar can not be downloaded again.
    Can you re-upload the file? Thank you.

  18. Kiwi says:

    AyuanX, thank you. ^^

  19. valser45 says:

    Hi, the original post looks fine, got to the gpsvc key, changed its value as indicated. But when leaving regedit, it says this key’s value cannot be changed. Any idea? Is it again GP?

    Thanks and regards, valser45

  20. abdul aziz says:

    Hello sir
    Please clarify my doubt my company is lock all computer and set as domain logon whats ever i was using group policy editor or software installation asking user name and password . i can not access to enable all thing my company was lock all those thing and also internet i can access only email and company program only I can not use any website in my computer . so please help and teach me to remove user name and password and also try to access all website please help for me admin.
    thanks

  21. Sennju says:

    Hello,

    Thanks for the trick it works well.
    Now I wonder how to do it on Windows 10 x64
    I mean I have a windows 7 x64 with GPO disable, if I upgrade to windows 10 at first it seems that the GPO is still disable but as soon as you restart the computer, the gpo is pushed .

    thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s