Re: Assigning User Policy
From: Steven L Umbach (n9rou_at_comcast.net)
Date: 10/11/03
- Next message: m.e.: "How to switch off ping ?"
- Previous message: Steven L Umbach: "Re: Administrator Denied MMC Access"
- In reply to: Carrie Garth \(MVP\): "Re: Assigning User Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 11 Oct 2003 21:23:24 GMT
Hi Carrie,
Interestingly I have not noticed the same behaviour on some of my machines
in that already applied policies were exempted after ntfs deny permissions
were enabled. I am using W2K SP3 and am talking about only changes made in
user configuration/administrative templates. Apparently mileage may vary as
this is an unsupported hack.
The part about starting with a clean slate is a good point. I just wanted to
pass along that in my experience you can clean a slate for user
configuration by renaming the registry.pol file in the \winnt\group
policy\user folder. The trick is that the old settings will stay in place
until a new registry.pol file is created. To do that all you have to do is
run gpedit.msc and change a setting, even if you enable a setting and then
undefine it right away. After that the new registry.pol file is created with
a clean slate. You would have to log off and back on to see it take effect
that way of course.
Users have also found themselves locked out out of using gpedit.msc
altogether even as administrator on a non domain machine [as seen by a
recent post] in cases where they have disabled access to Microsoft
Management Console. I have found the work around for this is to run mmc and
select Group Policy on another machine on the network. Then instead of local
computer select browse/computers/another computer and type in the name of
the computer you need to manage Group Policy on remotely. Of course
administrator credentials for that machine will be needed.
It would be nice to see Microsoft incorporate a way into future operating
systems a way to make it easy for users to exempt users/group from local
user policy as there seems to be a lot of demand for it. --- Steve
"Carrie Garth (MVP)" <cgarth@alpha1.netINVALID> wrote in message
news:OW1ullAkDHA.3732@tk2msftngp13.phx.gbl...
> Hi Mike,
>
> I have successfully used the technique as described on the Web Page (URL)
posted by
> Steve.
>
> Keep in mind that you must start with a "clean-slate". That is, any
policies that
> have already been configured will still be applied even after setting NTFS
> permissions to deny read access to the group you are trying to exclude.
>
> To make certain that you have a "clean-slate" run gpedit.msc, in the
left-pane select
> Computer Configuration/Administrative Templates and from the View menu
choose "Show
> Configured Policies Only". Repeat for User Configuration/Administrative
Templates.
> If any policies are shown as Enabled you are not starting with a
clean-slate and this
> must be remedied before you edit policy settings and set NTFS permissions.
>
> The best way that I know of to return to a "clean-slate" is to repeat the
above and
> for all policies that are Enabled change the Setting to Disabled, log on
as each user
> on your computer and then Reboot. Run gpedit.msc again, repeat as above
except this
> time change the Setting to Not Configured (make certain you log on as each
user and
> Reboot). Now you have a clean-slate and can begin to "Lockdown by group
using Local
> Computer Policy" as described on the aforementioned Web Page.
>
> If you are still having problems we can help you troubleshoot them if you
use
> xcacls.exe to display NTFS permissions and gpresult.exe to display
information about
> your Group Policies, then post the results here (delete any non-pertinent
> information).
>
> You can find xcacls.exe and gpresult.exe on the Windows 2000 Professional
Resource
> Kit companion CD or you can download it as one of the "Free Tool
Downloads". For
> more information, see the following Microsoft Knowledge Base Article:
>
> KB274305 - Free Windows 2000 Resource Kit Tools for Administrative Tasks
> http://support.microsoft.com/?scid=274305
>
> With these tools installed, log on as the built-in Administrator run the
cmd.exe
> prompt, and execute the following command.
>
> For xcacls (the following assumes you are setting permissions as described
on the
> aforementioned Web Page. Otherwise, modify path as necessary):
>
> xcacls C:\WINNT\system32\GroupPolicy
>
> For gpresult (the following assumes you are setting NTFS permissions to
deny read
> access to users in the Administrators group):
>
> gpresult /u /v
>
> --
> Carrie Garth, Microsoft MVP for Windows 2000
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- c x g
>
> : "Mike" <msh_work AT hotmail DOT com>
> : Wote in message news:019701c38e80$2041ff20$a301280a@phx.gbl
> : Sent: Thursday, October 09, 2003 11:12 AM
> :
> : Thanks Steve, I tried that but unfortunetly I am getting
> : the same problem. Whatever way i do this it seems that
> : applying policy to just the users and not the
> : administrator is not possible. If you know of any other
> : work rounds they would much appreciated. Cheers
>
> : > "Steven L Umbach" <sumbach AT ameritech DOT net>
> : > Wrote in message
news:3nehb.26898$ev2.7047783@newssrv26.news.prodigy.com
> : > Sent: Thursday, October 09, 2003 09:35 AM
> : >
> : > Hi Mike. See the link below to an unsupported hack that involves
using deny
> : > permissions on the \winnt\system32\group policy folder.
> : >
> : > http://is-it-true.org/nt/nt2000/atips/atips131.shtml
>
> : >> "Mike" <msh_work@hotmail.com>
> : >> Wrote in message news:2642701c38e6c$2e2dc6f0$a601280a@phx.gbl
> : >> Sent: Thursday, October 09, 2003 08:49 AM
> : >>
> : >> I am trying to no avail to apply security policies on a
> : >> standalone computer so that only the users will be
> : >> affected by the policy changes and not the
> : >> administrators. I have tried to use the work around that
> : >> was discusssed in the tech net article 293665 but this is
> : >> very contradictive and does not work. Anybody who has any
> : >> idea how to do this please please please could you let me
> : >> know how.
>
>
>
- Next message: m.e.: "How to switch off ping ?"
- Previous message: Steven L Umbach: "Re: Administrator Denied MMC Access"
- In reply to: Carrie Garth \(MVP\): "Re: Assigning User Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
