Group Policy : Restrict Registry Editor Access

If you want to restrict user access to the registry editor, the easiest method is to use a group policy object in your active directory environment. This will allow you to restrict access to the registry editor to many users in just a few clicks.

To disable access to the registry editor using group policy, logon to a domain controller or a computer with RSAT installed. Next, navigate to our Group Policy Management inside of Administrative Tools.

Next, navigate to Users Configuration > Policies > Administrative Templates > System. Once inside of the System folder, right-click on the policy titled Prevent access to registry editor tools. Once inside, Enable the policy.

A new option will appear in the options section. To disable registry editor from running, select “Yes” in the drop-down. If the option is “No”, it will allow registry edits to run using the command prompt.

Click Apply and OK. Last, apply the policy to the desired organizational unit.

To verify that it has applied the policy, logon to a computer using an account that has the group policy object applied. If the policy is being applied a message saying, “Registry editing has been disabled by your administrator.”


To apply the new setting to the computer, restart the machine or run gpupdate /force. To further verify the policy is being applied, run gpresult /r