Admin templates in group policy

[BertieBigBollox]

If I change the settings in these, am I right in saying it applies
these templates for ALL users?

Is there any way to change a setting (for instance, disable control
panel) but only do this for non-admin users?

Reason is when we install software for a customer we lock down the
installation by changing numberous settings in group policy. Its just a
pain when, for instance, you cant even get to control panel as admin
user.

 

[Mark Heitbrink [MVP]]

If I change the settings in these, am I right in saying it applies
these templates for ALL users?

If it is a standalone version without any AD: Yes.

Is there any way to change a setting (for instance, disable control
panel) but only do this for non-admin users?

Yes, but not really easy to administrate if you have to change
some things. You have to work with NTFS Permissions on the
%systemroot%\system32\GroupPolicy\User or \Machine\registry.pol

In this case (without AD) I would still work with poledit
http://support.microsoft.com/default.aspx?scid=kb;en-us;274478
You can import actual ADMs into poledit. You can find poledit.exe
in the ORK or in an extracted 2K ServicePack (expand -r poledit.ex_)

Or take a look at the MS Shared Computer Toolkit, not all options
integrated, but easier to handle
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Mark

 

[BertieBigBollox]

If it is a standalone version without any AD: Yes.


Yes, but not really easy to administrate if you have to change
some things. You have to work with NTFS Permissions on the
%systemroot%\system32\GroupPolicy\User or \Machine\registry.pol

In this case (without AD) I would still work with poledit
http://support.microsoft.com/default.aspx?scid=kb;en-us;274478
You can import actual ADMs into poledit. You can find poledit.exe
in the ORK or in an extracted 2K ServicePack (expand -r poledit.ex_)

Or take a look at the MS Shared Computer Toolkit, not all options
integrated, but easier to handle
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Hmmm. Luckily, I'm in the situation where we're talking about a
standalone Windows 2000 pro machine (so no active directory). Also,
I've used gpedit.msc to edit the policies at the moment.

Do I still need to do as you say so that admin user is unnaffected by
this?

 

[Mark Heitbrink [MVP]]

Hi,

Hmmm. Luckily, I'm in the situation where we're talking about a
standalone Windows 2000 pro machine (so no active directory). Also,
I've used gpedit.msc to edit the policies at the moment.
Do I still need to do as you say so that admin user is unnaffected by
this?

I would recommend it, because it´s easier.
gpedit can´t differ between users, it´s the local policy of
the system you are working on, so it is effecting all of them.

Your problem:
- all your settings are effecting the admin aswell
- you need to deny read permissions on the ..user\registry.pol
file, so he can´t import the settings
- but because he es not allowed to read he even can´t edit it ...

Then you can create a secound Admin Account _prior_ working with gpedit.
- make your settings and deny read to your Administrator

After that your problem is to make changes ...
- probably your alternate admin is no longer allowed to use MMC
- if you create a 3rd admin account this one is restricted aswell
- if you give read permission back to the admin he is restricted aswell
:-(

That´s why I would recommend to start from scratch and use poledit.exe

Mark

 

[BertieBigBollox]

Hi,



I would recommend it, because it´s easier.
gpedit can´t differ between users, it´s the local policy of
the system you are working on, so it is effecting all of them.

Your problem:
- all your settings are effecting the admin aswell
- you need to deny read permissions on the ..user\registry.pol
file, so he can´t import the settings
- but because he es not allowed to read he even can´t edit it ...

Then you can create a secound Admin Account _prior_ working with gpedit.
- make your settings and deny read to your Administrator

After that your problem is to make changes ...
- probably your alternate admin is no longer allowed to use MMC
- if you create a 3rd admin account this one is restricted aswell
- if you give read permission back to the admin he is restricted aswell
:-(

That´s why I would recommend to start from scratch and use poledit.exe

OK. Sort of understand this.

My current admin account has been renamed to Level3. Can I create
another user called pauladmin, say, and restrict the permissions for
this user? What file do I need to restrict access to?

Then, when I log in as pauladmin no policies will be applied. Is this
correct?

 

[Mark Heitbrink [MVP]]

Hi,

My current admin account has been renamed to Level3. Can I create
another user called pauladmin,

Yes, if you can still create Users and you didn´t restrict it
by policies ;-) Make PaulAdmin member of the Administrators.

say, and restrict the permissions for this user?
What file do I need to restrict access to?

%systemroot%\system32\GroupPolicy\User\registry.pol
-> Deny Read to "pauladmin"

Then, when I log in as pauladmin no policies will be applied.
Is this correct?

Yes, because he is not allowed to read the settings from registry.pol
but he is aswell not able to change the settings.
But after that you will have a "working" AdminAccount.

To get back your original Administrator to be not restricited,
do the following:

- log in as PaulAdmin (who is not restricted)
- deny read on registry.pol to "Level3"

Open Explorer:
- delete %profilesdir%\Administrator\ntuser.pol

Open Registry
- mark HKey_Users
- file \ load structure -> %profilesdir%\Administrator\ntuser.dat
give a name e.g. "Admin"
- delete the hives beneeth
HKey_Users\Admin\Software\Policies
HKey_Users\Admin\Software\MIcrosoft\Windows\Current Version\Policies
- file \ unload structure

After that your AdminAccount should no longer be restricted.

Mark

 

[BertieBigBollox]

Hi,



I would recommend it, because it´s easier.
gpedit can´t differ between users, it´s the local policy of
the system you are working on, so it is effecting all of them.

Your problem:
- all your settings are effecting the admin aswell
- you need to deny read permissions on the ..user\registry.pol
file, so he can´t import the settings
- but because he es not allowed to read he even can´t edit it ...

Then you can create a secound Admin Account _prior_ working with gpedit.
- make your settings and deny read to your Administrator

After that your problem is to make changes ...
- probably your alternate admin is no longer allowed to use MMC
- if you create a 3rd admin account this one is restricted aswell
- if you give read permission back to the admin he is restricted aswell
:-(

That´s why I would recommend to start from scratch and use poledit.exe

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Got this working now. Created another admin user and edited the
permissions on the two group policy files in \winnt\system32\Group
Policy to deny this new user access.

When this new admin user logs in it works fine with no policies applied.