PowerShell – Prevent Kids From Installing/Running Specific Programs

ByDavid Kittell

If you use the Microsoft Family settings for your kids and can’t figure out how to prevent them from installing Chrome or Chromium this will help.

This PowerShell script (ran as Administrator) will create/modify the user folders to prevent users from accessing the needed folders to run the two programs.

PowerShell
# List all users and last time used
#gwmi win32_userprofile | select @{LABEL="last used";EXPRESSION={$_.ConvertToDateTime($_.lastusetime)}}, LocalPath, SID,  Status, Disabled, AccountType, Lockout, special, PasswordRequired | ft -a

# List all users capable of logging in
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | Where-Object { $_.Disabled -ne 'False' -and $_.PasswordRequired -eq 'True' } | Select-Object PSComputername,Fullname,Name,Status,Disabled,AccountType,Lockout,PasswordRequired,PasswordChangeable,SID | Format-Table
$users = $(Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | Where-Object { $_.Disabled -ne 'False' -and $_.PasswordRequired -eq 'True' })

foreach ($user in $users)
{
  $user.Name

  $user1 = $(gwmi win32_userprofile | Where-Object { $_.SID -like "$($user.SID.SubString(0,8))*" } | Select-Object @{ LABEL = "last used"; EXPRESSION = { $_.ConvertToDateTime($_.lastusetime) } },LocalPath,SID,Status,Disabled,AccountType,Lockout,special,PasswordRequired)

  if ($(Test-Path $user1.LocalPath) -eq $True) {
    $userpaths = $user1.LocalPath
  }

}

foreach ($userpath in $userpaths | Get-Unique)
{
  Write-Output "Looking for $userpath\AppData\Local\Google"
  $path = "$userpath\AppData\Local\Google"
  if ($(Test-Path $path) -eq $True) {
    # Google is installed
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }
  else
  {
    # Google is not installed
    mkdir -Force $path
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }

  Write-Output "Looking for $userpath\AppData\Local\Chromium"
  $path = "$userpath\AppData\Local\Chromium"
  if ($(Test-Path $path) -eq $True) {
    # Chromium is installed
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }
  else
  {
    # Chromium is not installed
    mkdir -Force $path
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }

  Write-Output "Looking for $userpath\AppData\Local\Roblox"
  $path = "$userpath\AppData\Local\Roblox"
  if ($(Test-Path $path) -eq $True) {
    # Roblox is installed
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }
  else
  {
    # Roblox is not installed
    mkdir -Force $path
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }


  Write-Output "Looking for $userpath\AppData\Local\Steam"
  $path = "$userpath\AppData\Local\Steam"
  if ($(Test-Path $path) -eq $True) {
    # Steam is installed
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }
  else
  {
    # Steam is not installed
    mkdir -Force $path
    #Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
    Get-Item "$path" | Disable-NTFSAccessInheritance
    Get-Item "$path" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl

    Get-Item "$path\*" | Disable-NTFSAccessInheritance
    Get-Item "$path\*" | Get-NTFSAccess | Remove-NTFSAccess
    Get-Item "$path\*" | Add-NTFSAccess -Account 'builtin\administrators' -AccessRights FullControl
  }

}

<#
#Install-Module -Name NTFSSecurity
Get-Item $path | Get-NTFSAccess –ExcludeInherited | Out-File c:\temp\OriginalPermissions.txt -Append
Get-Item "$path\*" | Disable-NTFSAccessInheritance
 
Get-Item "$path\*" | Get-NTFSAccess -ExcludeExplicit builtin\administrators | Remove-NTFSAccess
Get-Item "$path\*" | Set-NTFSOwner -Account builtin\administrators
#>
PowerShell
# Block Microsoft Store (within Windows) - Run as Administrator
# NOTE This block is for all users of the computer.
Write-Output "0.0.0.0 livetileedge.dsx.mp.microsoft.com" | Add-Content "C:\Windows\System32\drivers\etc\hosts"
Write-Output "0.0.0.0 store-images.s-microsoft.com" | Add-Content "C:\Windows\System32\drivers\etc\hosts"
Write-Output "0.0.0.0 storeedgefd.dsx.mp.microsoft.com" | Add-Content "C:\Windows\System32\drivers\etc\hosts"
Write-Output "0.0.0.0 vrv.colivetileedge.dsx.mp.microsoft.com" | Add-Content "C:\Windows\System32\drivers\etc\hosts"

Originally Posted on January 1, 2019
Last Updated on October 26, 2025
All information on this site is shared with the intention to help. Before any source code or program is ran on a production (non-development) system it is suggested you test it and fully understand what it is doing not just what it appears it is doing. I accept no responsibility for any damage you may do with this code.