Hi Mike,
I have successfully used the technique as described on the Web Page (URL) posted by
Steve.
Keep in mind that you must start with a "clean-slate". That is, any policies that
have already been configured will still be applied even after setting NTFS
permissions to deny read access to the group you are trying to exclude.
To make certain that you have a "clean-slate" run gpedit.msc, in the left-pane select
Computer Configuration/Administrative Templates and from the View menu choose "Show
Configured Policies Only". Repeat for User Configuration/Administrative Templates.
If any policies are shown as Enabled you are not starting with a clean-slate and this
must be remedied before you edit policy settings and set NTFS permissions.
The best way that I know of to return to a "clean-slate" is to repeat the above and
for all policies that are Enabled change the Setting to Disabled, log on as each user
on your computer and then Reboot. Run gpedit.msc again, repeat as above except this
time change the Setting to Not Configured (make certain you log on as each user and
Reboot). Now you have a clean-slate and can begin to "Lockdown by group using Local
Computer Policy" as described on the aforementioned Web Page.
If you are still having problems we can help you troubleshoot them if you use
xcacls.exe to display NTFS permissions and gpresult.exe to display information about
your Group Policies, then post the results here (delete any non-pertinent
information).
You can find xcacls.exe and gpresult.exe on the Windows 2000 Professional Resource
Kit companion CD or you can download it as one of the "Free Tool Downloads". For
more information, see the following Microsoft Knowledge Base Article:
KB274305 - Free Windows 2000 Resource Kit Tools for Administrative Tasks
http://support.microsoft.com/?scid=274305
With these tools installed, log on as the built-in Administrator run the cmd.exe
prompt, and execute the following command.
For xcacls (the following assumes you are setting permissions as described on the
aforementioned Web Page. Otherwise, modify path as necessary):
xcacls C:\WINNT\system32\GroupPolicy
For gpresult (the following assumes you are setting NTFS permissions to deny read
access to users in the Administrators group):
gpresult /u /v
--
Carrie Garth, Microsoft MVP for Windows 2000
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- c x g
: "Mike" <msh_work AT hotmail DOT com>
: Wote in message : Sent: Thursday, October 09, 2003 11:12 AM
:
: Thanks Steve, I tried that but unfortunetly I am getting
: the same problem. Whatever way i do this it seems that
: applying policy to just the users and not the
: administrator is not possible. If you know of any other
: work rounds they would much appreciated. Cheers
: > "Steven L Umbach" <sumbach AT ameritech DOT net>
: > Wrote in message : > Sent: Thursday, October 09, 2003 09:35 AM
: >
: > Hi Mike. See the link below to an unsupported hack that involves using deny
: > permissions on the \winnt\system32\group policy folder.
: >
: >
http://is-it-true.org/nt/nt2000/atips/atips131.shtml
: >> "Mike" <
[email protected]>
: >> Wrote in message : >> Sent: Thursday, October 09, 2003 08:49 AM
: >>
: >> I am trying to no avail to apply security policies on a
: >> standalone computer so that only the users will be
: >> affected by the policy changes and not the
: >> administrators. I have tried to use the work around that
: >> was discusssed in the tech net article 293665 but this is
: >> very contradictive and does not work. Anybody who has any
: >> idea how to do this please please please could you let me
: >> know how.
