Create the GPO. Navigate to the Group Policy Management tool.

The Group Policy Management tool is similar to the Active Directory Users and Computers tool.

If you don't see the Sales OU$,$ expand the folders under the GOODCORP.NET domain.

Name the GPO Limit Settings.

Right$-$click the GPO to Edit... its policies.

Find the policy you need under User Configuration $>$ Policies $>$ Administrative Templates $>$ Control Panel. The policy you're looking for is called Settings Page Visibility. This policy is not in a subfolder in Control Panel.

Set the policy to Enabled.

Under Settings Page Visibility:, enter showonly:about;themes.

Apply and accept these changes.

After you have enabled the policy, link the GPO to the Sales OU$.$

Add the Sales group to the Remote Desktop Users group like shown earlier, if you haven't already.

Open the Active Directory Users and Computers menu.

Expand your GC Users Organizational Unit.

Select the Sales sub$-$Organizational Unit. The Sales group will appear in the right$-$hand pane.

Right$-$click that Sales group and select Add to a group....

Under the Enter the object names to select area, enter Remote and click Check Names.

Click the Remote Desktop Users and click OK$.$

Click OK again.

Refresh these policy and group changes on the Windows $10$ machine.

Go back to the Windows $10$ machine, open a CMD or PowerShell window and enter:

gpupdate

This will update the Windows $10$ machine with your latest changes.

Take a quick moment to look at the default Windows Settings.

Click the Start menu. Then click the cogwheel icon to launch the Settings menu.

You don't have to do anything here, but notice the different settings your sysadmin account has access to$.$

Test the Group Policy changes as Bob. Verify that Bob's account has limited access to Windows Settings by doing the following:

Log into the Windows $10$ machine as the local sysadmin account and run gpupdate to pull the latest updates.

Toggle Enhanced Session Mode OFF then log into the Windows $10$ machine as Bob with password Ilovesales!.

Once you're back in the Windows $10$ machine, click the Windows button in the bottom$-$left and then click the Settings icon.

If you created the GPO properly, you should only see two entries there: System and Personalization.

This indicates that the Group Policy Object was successfully applied. The standard Windows Settings screen has many more options.

Know that system administrators will often restrict access to various operating system settings to prevent users from making irreversible or potentially dangerous changes to their system.

Authenticate back to our local sysadmin account:

Log out of Bob's account by toggling Enhanced Session Mode ON again.

Back at the Windows lock screen, click the screen and select Other user.

For the username, enter $.\backslash$sysadmin and cybersecurity for the password. You'll notice that the Sign in to: selection at the bottom automatically changes when you type $.\backslash .$

By toggling the session mode, you can use GoodCorp.net$\backslash$Bob to sign into Bob's domain account, and $.\backslash$sysadmin to sign into the local sysadmin account.