Re: Question about Group Policies in XP.

From: Nepatsfan (nepatsfan_at_SBXXXVIII.com)
Date: 02/15/05 

Date: Tue, 15 Feb 2005 16:53:24 -0500

Glad you found a workaround. Though, it really shouldn't be
necessary to change permissions on that folder. A common mistake
some people make when they go through the procedure outlined in
the MS article (step 10) is to change the settings back to "Not
Configured" instead of Disabled. 

-- 
Nepatsfan
"Mike" <Mike@discussions.microsoft.com> wrote in message 
news:B004DCCC-1A54-4A95-AA10-A071E17227E7@microsoft.com...
>I figured out (with a little help from theeldergeek.com) that 
>after you save
> the policy has administrator you have to go to
> c:\windows\system32\grouppolicy\ and take away the read 
> permission and choose
> deny instead of allow so that the policy doesn't affect the 
> administrator
> account.  Thanks for all your help.
>
> "Nepatsfan" wrote:
>
>> I did a little experimenting but you're going to have to tweak
>> this for your needs.
>>
>> Logon as Administrator.
>> Right click an open area of your desktop and select New ->
>> Shortcut.
>> Enter gpedit.msc.
>> Hit Next.
>> Enter a name for this shorcut and select Finish.
>> This will allow you to access the Local Seurity Policy after
>> you've hidden the C drive.
>>
>> Have you enabled any policy settings that remove the Command
>> Prompt entry from the Start menu? If you have then you'll have 
>> to
>> create a shortcut to cmd.exe as well. That will allow you to
>> access the Registry.pol file. Follow the instructions outlined 
>> in
>> the Microsoft article I posted earlier and see if you get the
>> results you want.
>>
>> Keep in mind that there are other ways of accessing the C 
>> drive
>> besides My Computer or Explorer. I've just given you two 
>> examples
>> of how someone can get around this policy.
>>
>> Keep us posted.
>> -- 
>> Nepatsfan
>> "Mike" <Mike@discussions.microsoft.com> wrote in message
>> news:323002FF-53D8-41EA-B0B4-DF659A59907A@microsoft.com...
>> > There is an option under both Computer configuration and 
>> > User
>> > configuration
>> > (I don't remember the exact path) but you can hide the c: 
>> > drive
>> > (make it
>> > invisible) or restrict access to it.  I haven't considered 
>> > NTFS
>> > permissions
>> > cause I don't know enough about it but I have converted the
>> > drives to NTFS.
>> >
>> > "Nepatsfan" wrote:
>> >
>> >> What exactly do you mean by "setting the c: drive to be
>> >> hidden"?
>> >> How did you go about hiding it? You can remove the Run 
>> >> command
>> >> from the start menu easily enough but restricting access to 
>> >> a
>> >> drive could (as you've already seen) have unintended
>> >> consequences. Have you considered using NTFS permissions to
>> >> restrict user access?
>> >>
>> >> -- 
>> >> Nepatsfan
>> >> "Mike" <Mike@discussions.microsoft.com> wrote in message
>> >> news:4F2FF69E-176C-4DDB-8539-696110396F75@microsoft.com...
>> >> > One thing that really screwed me up was setting the c: 
>> >> > drive
>> >> > to
>> >> > be hidden and
>> >> > taking the Run command off the start menu.  I'd like to
>> >> > include
>> >> > these
>> >> > policies under the user account  but if I have to set 
>> >> > these
>> >> > policies up
>> >> > logged in has administrator I won't be able to get back 
>> >> > to
>> >> > the
>> >> > c: drive or
>> >> > c:\windows\system32\gpedit.msc.  How can I do this so I 
>> >> > can
>> >> > set
>> >> > these
>> >> > policies?  Should I give the user account administrator
>> >> > rights
>> >> > then set the
>> >> > policies then take the admin right away and login again 
>> >> > has
>> >> > the
>> >> > user account?
>> >> > That's what screwed me up initially.
>> >> >
>> >> > "Nepatsfan" wrote:
>> >> >
>> >> >> You might want to take a look here:
>> >> >>
>> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;293655
>> >> >>
>> >> >> Here's another tool you might want to consider:
>> >> >>
>> >> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> >> >>
>> >> >> -- 
>> >> >> Nepatsfan
>> >> >> "Mike" <Mike@discussions.microsoft.com> wrote in message
>> >> >> news:CB797599-CA2B-4798-9A15-F0045CEC66D7@microsoft.com...
>> >> >> > I'm not an expert with group policies but would like 
>> >> >> > to
>> >> >> > use
>> >> >> > it
>> >> >> > more.  I'm
>> >> >> > trying to set up five machines with a local group 
>> >> >> > policy
>> >> >> > but
>> >> >> > have screwed up
>> >> >> > two machines already by not being able to get 
>> >> >> > gpedit.msc
>> >> >> > because I set the
>> >> >> > sample user configuration policy up  has the user 
>> >> >> > account
>> >> >> > (user
>> >> >> > account has
>> >> >> > administrator rights) but in doing so the policies 
>> >> >> > also
>> >> >> > affected the
>> >> >> > administrator account so I'm on my third machine.  I
>> >> >> > accidentally set both
>> >> >> > local computer and user policies (didn't know I just 
>> >> >> > had
>> >> >> > to
>> >> >> > use
>> >> >> > user
>> >> >> > configuration) Does anyone have links to any proper
>> >> >> > information
>> >> >> > or
>> >> >> > instruction on how to group policy?  We're tired of 
>> >> >> > using
>> >> >> > Fortres desktop
>> >> >> > security.
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>