RE: gpedit.msc can't specify the user/group

From: Tim Donahue (TDonahue@haynesconstruction.com)
Date: 07/31/02 

From: Tim Donahue <TDonahue@haynesconstruction.com>
To: 'Catfish' <catfish@catfish.homeip.net>, security-basics@securityfocus.com
Date: Wed, 31 Jul 2002 14:47:57 -0400

There is one policy for the entire computer, the only way to have separate
policies is to use a domain, which you don't have. When you are setting up
the policy you choose which users/groups specific parts of the policy apply
to. For example one of the options "Computer Config\Windows Settings\Local
Policies\User Rights Assignment"is "Shut down the System". Under there you
choose which groups have the right to shut down the system, at least through
Windows.

Hope this helps,

Tim Donahue

-----Original Message-----
From: Catfish [mailto:catfish@catfish.homeip.net]
Sent: Tuesday, July 30, 2002 7:55 AM
To: security-basics@securityfocus.com
Subject: gpedit.msc can't specify the user/group

A question brought up by another person I really didn't have a good answer
for...

When using gpedit.msc (tried under xp pro but I believe the same under
win2k) to lock things down like hiding start menu items like run, control
panel...etc you can't choose that user(s)/group(s) will be covered under the
policy. It seems to apply to just the user that is using gpedit.msc or when
admin everyone (?).

Is there a way to pick which users apply? Some sort of .pol file we can move
arround or can I create a .reg file with the changes I can import using
regedit to that user. The way I would think it Should work is for the admin
(while logged in as admin) to apply polices to any user/group and be able to
enforce it.

Note this is a standone system not on a domain, AD, .net or whatever. I did
some google'ing but it seems mostly to point to either just run it and make
yours changes or domains/AD which I'm not familar with.

Relevant Pages

  • Re: How to make regular user a default admin for Computers underhisOU ?
    ... I redid the OU and groups from scratch and applied the "restriced groups" policy. ... And once they create and join their computers, they can do all the admin tasks fine. ... For changing the workstation name, for example, you must have domain admin rights or the group has to get delegated the right to change a workstation name, because it is a domain member. ... login as one of them I cannot do any Admin related tasks. ...
    (microsoft.public.windows.server.active_directory)
  • Re: BITS 2.0 Install Fails - Permission problem
    ... It sounds as though a domain policy is set that trumps your local policy. ... don't think that even a domain admin can override it by editing the local ... > And I get the same problem: Error Code: 8007F004 when installing the BITS ... >> Please verify that your account has the following required permissions. ...
    (microsoft.public.windowsupdate)
  • Re: Securing Enterprise Policy from local admins
    ... Admin is admin. ... but it is just the fact that a local admin on the box ... >>Enterprise Policy Administration ...
    (microsoft.public.dotnet.security)
  • Re: Securing Enterprise Policy from local admins
    ... > Admin is admin. ... >> All the .NET Framework security policy docs on the website speak to the ... >> has full control of the security settings through the machine policy. ... >> enterprise policy is intended to be managed at the enterprise and is why ...
    (microsoft.public.dotnet.security)
  • Re: Stand-alone (non-networked) computer - restrict one account but not another
    ... you can edit the policy when logged in as an admin and then deny the admin read permissions on %windir%\system32\GroupPolicy. ... the local policy won't apply to them because they can't read it. ... The danger is then that the policy may apply while you're in the middle of editing and depending on the settings, the admin account may be restricted to a point where they can no longer function. ... I want to lock down the User account to disable stuff like the Control ...
    (microsoft.public.win2000.group_policy)