part - 11 group policy

Disable High Contrast with Group Policy
Disable Accessibility Options with Group Policy

KB ID 0000472 Dtd 13/02/13

Problem

A few weeks back I wrote about a client who was having problems with kids at his school launching the ease of access button from the login screen. And how I disabled the ease of access button.

High Contrast

After a site visit it seems that the "little darlings" had now worked out that by pressing "Alt+Shift+Print Screen" they could turn on high contrast. And this, which is obviously hilarious (once again), and annoying for their teachers, needs disabling.

As with the ease of access button, these options are designed for the disabled. So there is no mechanism for doing this. I had great fun working out how to do this via group policy.

Caveats

1. This uses Group Policy Preferences, so your domain needs to be at least 2008.

2. This assumes your clients are Windows 7 if your client OS's are earlier, you need to install theClient Side Extensions.

If you don't have a 2008 domain, you can still disable these options via the registry, click here

If you want to import a Group Policy Object to do this, click here.

Solution

Disable Accessibility via Group Policy

Note: creating the policy is VERY time consuming and soul destroyingly boring! I've pre-written it for you download this file.

1. Once you have downloaded the file above, extract it to the desktop of your domain controller.

2. Launch the "Group Policy Management Console".

3. Create a policy, and either link it to the domain or the OU that contains the users you want to enforce the policy on, (Or edit an existing policy).

4. Right click the policy you are working with, and select edit.

5. Right click the policy > Properties > Take note of the policy's "Unique name".

6. Now you need to locate the policy itself, click Start > in the search run box type:

e.g. My test domain ins domaina.com so the command I would use is \\domaina\sysvol\domaina.com\policies\

7. Once there locate and open the folder that has the same unique name as the policy you noted down in step 5. Within that folder open the "User Folder. Then from the file you extracted above copy the "Preferences" Folder into the "User" Folder.

So now your policy will look like:

{CFE1314E-A13B-4E31-9EC5-FD9028D21945} Yours will have a different name!
-- Machine
-- User
---- Preferences
------ Registry
-------- Registry.xml

8. That's you finished. if you want to see what the policy is doing, go back the the Group Policy Management Console > Edit the policy and navigate to:

There you will see all the registry keys that this policy resets (and I had to configure, one by one!).

Disable Accessibility via the Registry

1. Download this file containing the registry files, and extract it onto your target machine.

2. Within the extracted files you will find a folder called "Registry Keys". There are two called AccessibilityOFF and AccessibilityON (As the name suggests, the fist disables the settings, and the second reinstates them). Simply double click them to merge them into the registry.

Disable Accessibility via Group Policy

Import the following file and save it with a .adm extension.

CLASS MACHINE
CLASS USER
CATEGORY "Control Panel"
CATEGORY "Accessibility Lockdown"
KEYNAME "Software\Policies\Accessibility"
POLICY "Automatic Reset"
KEYNAME "Software\Policies\Accessibility"
VALUENAME "TimeoutConfig"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control Panel\Accessibility\Timeout"
VALUENAME "Flags"
VALUE "3"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control Panel\Accessibility\Timeout"
VALUENAME "Flags"
VALUE "2"
END ACTIONLISTOFF
PART "Timeout after idle for" DROPDOWNLIST
REQUIRED
KEYNAME "Control Panel\Accessibility\Timeout"
VALUENAME "TimeToWait"
ITEMLIST
NAME "5 minutes"
VALUE "300000"
NAME "10 minutes"
VALUE "600000"
NAME "15 minutes"
VALUE "900000"
NAME "20 minutes"
VALUE "1200000"
NAME "25 minutes"
VALUE "1500000"
NAME "30 minutes"
VALUE "1800000"
END ITEMLIST
END PART
END POLICY
POLICY "Disable StickyKeys (including shortcut)"
KEYNAME "Software\Policies\Accessibility"
VALUENAME "StickyKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control Panel\Accessibility\StickyKeys"
VALUENAME "Flags"
VALUE "506"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control Panel\Accessibility\StickyKeys"
VALUENAME "Flags"
VALUE "510"
END ACTIONLISTOFF
END POLICY
POLICY "Disable FilterKeys (including shortcut)"
KEYNAME "Software\Policies\Accessibility"
VALUENAME "FilterKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control Panel\Accessibility\Keyboard Response"
VALUENAME "Flags"
VALUE "122"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control Panel\Accessibility\Keyboard Response"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable ToggleKeys (including shortcut)"
KEYNAME "Software\Policies\Accessibility"
VALUENAME "ToggleKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control Panel\Accessibility\ToggleKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control Panel\Accessibility\ToggleKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
POLICY "Disable High Contrast (including shortcut)"
KEYNAME "Software\Policies\Accessibility"
VALUENAME "HighContrastLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control Panel\Accessibility\HighContrast"
VALUENAME "Flags"
VALUE "122"
VALUENAME "Pre-High Contrast Scheme"
VALUE ""
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control Panel\Accessibility\HighContrast"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable MouseKeys (including shortcut)"
KEYNAME "Software\Policies\Accessibility"
VALUENAME "MouseKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control Panel\Accessibility\MouseKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control Panel\Accessibility\MouseKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
END CATEGORY
END CATEGORY