>>Can't run gpedit.msc from user account<<

[Wayne B.]

I have a handful Win2k machines that are not part of a
network but are in a classroom environment. I've setup a
student account on each machine as regular users and of
course I'm using the administrator accounts. I need to
lock down the students' accounts so they can't screw up
anything but when I try to to run >gpedit.msc< within
their accounts I get, "You do not have permission to
perform this operation" and I get the Group Policy window
with the red Xs over the faces icon. I want to lockdown
the desktop, delete 'run', make the control panel
inaccessible, things of that nature.

Now the way I understand it is, if I want changes to only
take place in a 'users' account, I have to be logged in
that particular account. So if I'm not able to run it
from within the individual accounts, is there another
way of getting this done or is there a way to tweak
something so that I WOULD be able to run gpedit.msc from
within the 'users' accounts?

Could someone point me in the right direction with this
please, I've been fooling around with this mess for the
past 4 days and have gotten absolutely NoWheRe.

THANX N ADVANCE. The Rookie/Wayne B.

 

[Pegasus \(MVP\)]

I have a handful Win2k machines that are not part of a
network but are in a classroom environment. I've setup a
student account on each machine as regular users and of
course I'm using the administrator accounts. I need to
lock down the students' accounts so they can't screw up
anything but when I try to to run >gpedit.msc< within
their accounts I get, "You do not have permission to
perform this operation" and I get the Group Policy window
with the red Xs over the faces icon. I want to lockdown
the desktop, delete 'run', make the control panel
inaccessible, things of that nature.

Now the way I understand it is, if I want changes to only
take place in a 'users' account, I have to be logged in
that particular account. So if I'm not able to run it
from within the individual accounts, is there another
way of getting this done or is there a way to tweak
something so that I WOULD be able to run gpedit.msc from
within the 'users' accounts?

Could someone point me in the right direction with this
please, I've been fooling around with this mess for the
past 4 days and have gotten absolutely NoWheRe.

THANX N ADVANCE. The Rookie/Wayne B.

You must run gpedit from an admin account. The changes
you make will affect the user accounts too.

 

[Wayne B.]

Yehh I know, I don't want my account to be restricted
on anything in anyway. I thought that there was a way of
locking down a user account w/o affecting the
administrator accounts. Are you saying that there is no
way to do this (without) affecting my admin
account??? Wayne B.

 

[Pegasus \(MVP\)]

When you run gpedit.msc then you are given the opportunity
to specify what restrictions apply to which types of accounts.
The obvious answer is: Restrict user accounts but enable
admin accounts.

 

[Wayne B.]

Well Pegasus, I'm glad it's obvious to you because it's
giving me the frickin flux. So what do I need to do to
specify the accounts that I want restricted? The drop-
down list under 'action' gives, (Export List, Properties
and Help). The drop-down list under view gives (choose
columns, the view choices, DC Options and customize).

Am I in the correct window or what because I can't see
where I would do what you're referring to. Just one more
kick in the right direction please, I GOT to almost be
there. THANX. Wayne B.

 

[Pegasus \(MVP\)]

Since you did not tell me which policy you're trying
to modify, I'll take the policy that says who is allowed
to set the system clock:

Local Computer Policy / Computer Configuration /
Windows Settings / Security Settings / Local Policies /
User Right Assignments / Change System Time.
Double-clicking this policy gives me a screen that
lets me add users and/or groups, and place tick marks
to say if they are / are not allowed to change the
system time.

 

[Wayne B.]

If you would refer back to my original post, it states,control panel inaccessible, things of that nature. <<

I'm not seeing any of those things in 'Computer
Configuration'. To the best of my >limited< knowledge,
they are only available in User Configuration /
Administrative Templates / Start Menu & Taskbar as well
as Desktop and Control Panel.

I've have also gone here

http://support.microsoft.com/default.aspx?scid=kb;en-
us;q293655

to try to get this done but in order to do what it's
saying, you have to be logged in as a user, but then you
can't run gpedit.msc nor group policy within the mmc. The
users group is restricted from utilizing both of those
functions.
Wayne B.

 

[Pegasus \(MVP\)]

What you are referring to is applying different policies for
different groups of users, e.g. one policy for students,
another for administrators. AFAIK, you can do this only
in a domain environment where users are validated by
a domain controller. Keywords are: policy files (.pol),
policy templates (.adm), policy editor (poledit.exe),
Zero Administration Kit (ZAK).

This is not a trivial subject. Nailing down a PC in a college
environment will take you many hours, and your students
will probably find lots of ways of getting around your
restrictions. For example, if you remove the Run command
then your students will launch Explorer and execute cmd.exe.

A more effective way might be to do something like this:
- Create an image of each PC, and store it on a network share.
- Boot each PC with a network boot disk each Friday night,
and execute some script that will restore the standard image.

About your original question: You can run gpedit.exe under
a user account like so:

- Start a Command Prompt
- runas /user:administrator gpedit.msc

Or:
- Start a Command Prompt
- runas /user:administrator cmd.exe
- gpedit.msc

 

[Wayne B.]

OK, Now I have this issue........... It won't let me
enter my password for my admin account. In both GUI and
cmd prompt. The keys don't/won't register while I'm
typing. ????? I'm beaten for the night, if you have any
other suggestions Pegasus, by all means keep'em comin and
I'll check it out and get started up again in the
morning. THANX A BUNCH.

Wayne B.

 

[Pegasus \(MVP\)]

When running "runas.exe", the password is not echoed to
the screen.

Depending on your configuration, you may have to specify
your domain in the "runas.exe" command, e.g. like so:

runas /user:MyPC\administrator cmd
runas /user:administrator@domainname cmd

 

[Wayne B.]

I'm trying both ways and I'm getting the same results as
before. (keystrokes won't register)
So when I just hit enter since I'm not able to type in
the password it first displays --->>

"Attempting to start "gpedit.msc" as
user "machine\cmos"...
and then 2 to 3 seconds later it gives me --->>

RUNAS ERROR: Unable to run - gpedit.msc
1326: Logon failure: unknown user name or bad password

The identical error displays when I try "cmos@workgroup"

Is it possibly something that I'm doing (or not doing) or
is it that this computer just doesn't like me?
Wayne B.

 

[Pegasus \(MVP\)]

Try to run cmd.exe instead of gpedit.msc, as per my example
in a previous post.

 

[Wayne B.]

I didn't mention in the previous post but I did try it
without the ext and I got the same results. I just tried
it with .exe attached this time to cmd and no
difference. It WANTS it's password, even though it
doesn't want it. (so to speak)
Wayne B.

 

[Pegasus \(MVP\)]

The extension is not the issue here but the command is.
Instead of running gpedit.msc, run cmd.exe under the
"runas" command.

 

[Wouter]

The extension is not the issue here but the command is.
Instead of running gpedit.msc, run cmd.exe under the
"runas" command.

I think "Start>Run>runas /user:administrator gpedit.mmc" does
NOT work.
What does somehow work is this:

Make a shortcut to: C:\WINNT\system32\gpedit.msc
This shortcut must be e.g. in the "C:\Documents and Settings\All
Users\Start Menu\Programs" folder.
Now logon as the restricted user.
Go to Start>Programs
Right-click the Shortcut to gpedit
Select: Run as...
Fill in Administrator and the Password, click OK

Anyway, the settings you make through gpedit this way DO affect
ALL users of this PC, so this is not what you want.

Better use my suggestion, see the other response of me to your
question.