Group Policy

[AC]

I need some elucidation concerning user restriction.

I have been trying to assign restriction for a sparticular user within users
group (member of users) without applyint them to my account as a memeber of
administrators.

Trying to perform that in Group Policy setting window - User Configuration -
Administrative Templates the result is applied to my account (member of
administators).

Is there any way of make restriction assigned to a users group or a single
user. Or the only way to do it is 'limit account' setting for a specified
user?

Thank you in advance for any suggestion.

AC
Windows XP Pro SP2

 

[Nepatsfan]

You might want to take a look here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

It will apply to XP as well as Win2K.

 

[AC]

Thanks, but I know this article.

I would like to know WHY it does not work <naturally> in my case.

I am using McAfee Internet Security on Win Xp Pro Sp2... I have really no
idea.

Have you?

 

[Nepatsfan]

I'm not sure I understand exactly what it is you're asking.

Did you follow the procedure outlined in the article?
What were the results? Were there still settings applied to
administrative accounts?

If you're wondering why the settings get applied to all accounts
by default then you need to consider the difference between a
workgroup and a domain. In a workgroup, Local Group Policy is
initially applied to all accounts.

 

[David Candy]

Because you didn't pay for server.

 

[AC]

???? Really


"David Candy" <.> wrote in message
Because you didn't pay for server.

 

[AC]

To all account means a mine? - ie user from administrators account?

I have one single post with Win XP pro SP2. I would like to limit my wife to
install the software.

I am a user with administrator privileges and her is an user from user
group.

I am certain that the procedure will work (replacing the reg file is always
miraculous) but I wonder why it does NOT work in the ordinary way?

Thanks for your time.

 

[David Candy]

Yes, really.

 

[Nepatsfan]

First off, if you want to prevent your wife from installing
software then leave her account as a member of the users group.
If you want to allow here to install software but not have full
administrative privileges then make her a member of the power
users group.

I'll have to admit, I really don't know why Microsoft decided to
set up Local Group Policy so that you can't apply individual
settings to different users and groups. My best guess is that, as
I mentioned before, it has to do with the basic difference
between a workgroup and a domain.

In a workgroup, each PC has it own collection of users and it's
own set of policies. If your the person in charge of overseeing
the day to day operation of these machines, how do you keep track
of who can do what on which machine? In a workgroup, simpler is
better. Start making things complicated and it becomes
unmanageable. Putting users in different groups (users, power
users, administrators, etc.) allows you to put some restrictions
on their activities. You also have some settings that can be set
for users and groups within the following section of Local Group
Policy:
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Since a domain provides a point of centralized administration, a
domain controller, it's much easier to implement policies that
determine, as I put it earlier, who can do what on which machine.

As for your options, you might find this program useful:

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

I haven't used this program but I've seen it recommended on these
newsgroups by people whose opinions I respect.

Good luck.

 

[AC]

Would you be so kind to unfold your thread?

"David Candy" <.> wrote in message
Yes, really.

 

[Ronnie Vernon MVP]

You might want to take a look at this utility.

Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm

 

[Asim]

Hi!

Did you ever find why Q293655 does not work? I am using XP Pro SP2 and
following the instructions completely, it simply does not work.

I tailor the Admin template, copy the desired pol file, change the
Admin template to defaults, overwrite the resultant pol with the
desired pol file copied before, logoff and log back in! And its as if
I have not done a thing! Administrators remain bound by the group
policies.

I do not know anyone who has used this method successfully since XP
SP2, has anyone? Any ideas where to look?

Thanks!

 

[george]

You may have noticed that the atricle indicates:
APPLIES TO
. Microsoft Windows 2000 Server
. Microsoft Windows 2000 Professional Edition

It does not state this should/would work for XP Pro (any version)

:-((
george

 

[Nepatsfan]

I suspect you're not following the instructions correctly. A
common mistake can occur in step 10 if instead of changing the
settings to Disabled you change them back to Not Configured
(which is the default setting). Also, make sure that the other
accounts you want the settings applied to are in fact NOT members
of the administrators group.

If you've got some time to kill then try this test.

Logon with an account that is a member of the Administrator's
group.
Launch the Group Policy Editor.
Change a setting that's not critical to the operation of the PC
to Enabled (something like "Remove User Name from Start Menu"
within User Configuration/Administrative Templates/Start Menu and
Taskbar).
Log off and on to apply the setting.
Log on with a User account and see if the User Name isn't
displayed at the top of the Start Menu.
Log back on with your administrator account.
Copy the Registry.pol file to a handy location.
Open the Local Group Policy and change the setting you enabled
earlier to DISABLED.
Close the editor.
Copy the saved Registry.pol file back to
C:\Windows\System32\Group Policy\User.
Log off and on and see if the User Name is visible for the
administrator account but not for the user account.

This procedure works for Windows XP as well as Windows 2000.