Circumventing Windows group policy through the registry

Most corporations manage their Windows laptop fleet in a domain, and the end-users are given local administrator rights (not to grant those rights limits many legitimate work scenarios). The domain controller applies certain configurations via group policy, overriding the local settings. The end users typically cannot affect the group policy (i.e., you can get into the Group Policy Editor, but many relevant entries are grayed out).

Windows power users know that the runtime behavior of most Windows components is determined by the registry, which is local to the PC. The group policy merely modifies the registry settings, but a local administrator can always override them and circumvent the group policy. This works only temporarily – during the next logon, or at predetermined times, the Group Policy Client will reapply the settings. Most of the time, a power user would only need to temporary circumvent the policy for a particular task, and would not care that it gets reinstated later. In fact, for security considerations, it is better that it works this way.

Here I present a semi-random list of such tweaks that I found useful in my work from time-to-time, and explain the legitimate use cases that led me to search for them. Essentially, these are just documented registry keys that control certain functionality. You can usually find them just by running a particular phrase through a search engine. The entire purpose of this page is just to be a list of what I personally found and used.

1. PSTDisableGrow

If you use Outlook, your ongoing emails are stored on the server and are mirrored locally in an OST file. The retention policy eventually causes them to be deleted from the server, which removes them from your PC as well. To save them past the retention deadline, you want to move them to a local PST file which is not synchronized. It is possible that when you attempt to do so, you receive the following error: “Cannot move the items. You don’t have appropriate permission to perform this operation.”

This behavior is controlled by an Outlook policy. The relevant registry key is under HKCU\Software\Policies\Microsoft\Office\xx.0\Outlook\PST, where xx.0 is whatever Office version is used. The simple way to circumvent this policy is to set “PSTDisableGrow” REG_DWORD to 0, and restart Outlook.

2. fBlockNonDomain

The network administrator may want to prevent machines from connecting to the corporate network and another network at the same time, for obvious security reasons. In some test cases, though, you may need to do that – for example, connecting to the internet through the corporate WiFi, while using a wired Ethernet back-to-back connection to a system-under-test. If the appropriate policy is configured, you may find that as soon as the Ethernet connection is established, you are booted off the WiFi, and manual connection fails with the “Your network administrator doesn’t allow simultaneous connections to your workplace network and another network” error.

Under HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy, set the “fBlockNonDomain” REG_DWORD to 0. The effect is immediate, and you should be able to connect back to the domain network while the auxiliary Ethernet connection remains active.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s