If I change the settings in these, am I right in saying it applies
these templates for ALL users?

Is there any way to change a setting (for instance, disable control
panel) but only do this for non-admin users?

Reason is when we install software for a customer we lock down the
installation by changing numberous settings in group policy. Its just a
pain when, for instance, you cant even get to control panel as admin
user.

(E-Mail Removed) schrieb:
> If I change the settings in these, am I right in saying it applies
> these templates for ALL users?

If it is a standalone version without any AD: Yes.

> Is there any way to change a setting (for instance, disable control
> panel) but only do this for non-admin users?

Yes, but not really easy to administrate if you have to change
some things. You have to work with NTFS Permissions on the
%systemroot%\system32\GroupPolicy\User or \Machine\registry.pol

In this case (without AD) I would still work with poledit
http://support.microsoft.com/default...b;en-us;274478
You can import actual ADMs into poledit. You can find poledit.exe
in the ORK or in an extracted 2K ServicePack (expand -r poledit.ex_)

Or take a look at the MS Shared Computer Toolkit, not all options
integrated, but easier to handle
http://www.microsoft.com/windowsxp/s...s/default.mspx

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Mark Heitbrink [MVP] wrote:

> (E-Mail Removed) schrieb:
> > If I change the settings in these, am I right in saying it applies
> > these templates for ALL users?
>
> If it is a standalone version without any AD: Yes.
>
> > Is there any way to change a setting (for instance, disable control
> > panel) but only do this for non-admin users?
>
> Yes, but not really easy to administrate if you have to change
> some things. You have to work with NTFS Permissions on the
> %systemroot%\system32\GroupPolicy\User or \Machine\registry.pol
>
> In this case (without AD) I would still work with poledit
> http://support.microsoft.com/default...b;en-us;274478
> You can import actual ADMs into poledit. You can find poledit.exe
> in the ORK or in an extracted 2K ServicePack (expand -r poledit.ex_)
>
> Or take a look at the MS Shared Computer Toolkit, not all options
> integrated, but easier to handle
> http://www.microsoft.com/windowsxp/s...s/default.mspx
>

Hmmm. Luckily, I'm in the situation where we're talking about a
standalone Windows 2000 pro machine (so no active directory). Also,
I've used gpedit.msc to edit the policies at the moment.

Do I still need to do as you say so that admin user is unnaffected by
this?

Hi,

(E-Mail Removed) schrieb:
> Hmmm. Luckily, I'm in the situation where we're talking about a
> standalone Windows 2000 pro machine (so no active directory). Also,
> I've used gpedit.msc to edit the policies at the moment.
> Do I still need to do as you say so that admin user is unnaffected by
> this?

I would recommend it, because it´s easier.
gpedit can´t differ between users, it´s the local policy of
the system you are working on, so it is effecting all of them.

Your problem:
- all your settings are effecting the admin aswell
- you need to deny read permissions on the ..user\registry.pol
file, so he can´t import the settings
- but because he es not allowed to read he even can´t edit it ...

Then you can create a secound Admin Account _prior_ working with gpedit.
- make your settings and deny read to your Administrator

After that your problem is to make changes ...
- probably your alternate admin is no longer allowed to use MMC
- if you create a 3rd admin account this one is restricted aswell
- if you give read permission back to the admin he is restricted aswell
:-(

That´s why I would recommend to start from scratch and use poledit.exe

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Mark Heitbrink [MVP] wrote:

> Hi,
>
> (E-Mail Removed) schrieb:
> > Hmmm. Luckily, I'm in the situation where we're talking about a
> > standalone Windows 2000 pro machine (so no active directory). Also,
> > I've used gpedit.msc to edit the policies at the moment.
> > Do I still need to do as you say so that admin user is unnaffected by
> > this?
>
> I would recommend it, because it´s easier.
> gpedit can´t differ between users, it´s the local policy of
> the system you are working on, so it is effecting all of them.
>
> Your problem:
> - all your settings are effecting the admin aswell
> - you need to deny read permissions on the ..user\registry.pol
> file, so he can´t import the settings
> - but because he es not allowed to read he even can´t edit it ...
>
> Then you can create a secound Admin Account _prior_ working with gpedit.
> - make your settings and deny read to your Administrator
>
> After that your problem is to make changes ...
> - probably your alternate admin is no longer allowed to use MMC
> - if you create a 3rd admin account this one is restricted aswell
> - if you give read permission back to the admin he is restricted aswell
> :-(
>
> That´s why I would recommend to start from scratch and use poledit.exe
>

OK. Sort of understand this.

My current admin account has been renamed to Level3. Can I create
another user called pauladmin, say, and restrict the permissions for
this user? What file do I need to restrict access to?

Then, when I log in as pauladmin no policies will be applied. Is this
correct?

Hi,

(E-Mail Removed) schrieb:
> My current admin account has been renamed to Level3. Can I create
> another user called pauladmin,

Yes, if you can still create Users and you didn´t restrict it
by policies ;-) Make PaulAdmin member of the Administrators.

> say, and restrict the permissions for this user?
> What file do I need to restrict access to?

%systemroot%\system32\GroupPolicy\User\registry.pol
-> Deny Read to "pauladmin"

> Then, when I log in as pauladmin no policies will be applied.
> Is this correct?

Yes, because he is not allowed to read the settings from registry.pol
but he is aswell not able to change the settings.
But after that you will have a "working" AdminAccount.

To get back your original Administrator to be not restricited,
do the following:

- log in as PaulAdmin (who is not restricted)
- deny read on registry.pol to "Level3"

Open Explorer:
- delete %profilesdir%\Administrator\ntuser.pol

Open Registry
- mark HKey_Users
- file \ load structure -> %profilesdir%\Administrator\ntuser.dat
give a name e.g. "Admin"
- delete the hives beneeth
HKey_Users\Admin\Software\Policies
HKey_Users\Admin\Software\MIcrosoft\Windows\Current Version\Policies
- file \ unload structure

After that your AdminAccount should no longer be restricted.

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Mark Heitbrink [MVP] wrote:

> Hi,
>
> (E-Mail Removed) schrieb:
> > Hmmm. Luckily, I'm in the situation where we're talking about a
> > standalone Windows 2000 pro machine (so no active directory). Also,
> > I've used gpedit.msc to edit the policies at the moment.
> > Do I still need to do as you say so that admin user is unnaffected by
> > this?
>
> I would recommend it, because it´s easier.
> gpedit can´t differ between users, it´s the local policy of
> the system you are working on, so it is effecting all of them.
>
> Your problem:
> - all your settings are effecting the admin aswell
> - you need to deny read permissions on the ..user\registry.pol
> file, so he can´t import the settings
> - but because he es not allowed to read he even can´t edit it ...
>
> Then you can create a secound Admin Account _prior_ working with gpedit.
> - make your settings and deny read to your Administrator
>
> After that your problem is to make changes ...
> - probably your alternate admin is no longer allowed to use MMC
> - if you create a 3rd admin account this one is restricted aswell
> - if you give read permission back to the admin he is restricted aswell
> :-(
>
> That´s why I would recommend to start from scratch and use poledit.exe
>
> Mark
> --
> Mark Heitbrink - MVP Windows Server
> Homepage: www.gruppenrichtlinien.de
> extend GPO: www.desktopstandard.com
> PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Got this working now. Created another admin user and edited the
permissions on the two group policy files in \winnt\system32\Group
Policy to deny this new user access.

When this new admin user logs in it works fine with no policies applied.