Re: Group policy problem (XP alone and XP with NT server)

From: Nepatsfan (nepatsfan_at_SBXXXIX.com)
Date: 05/27/05 

Date: Fri, 27 May 2005 15:51:12 -0400

I see you've discovered the fact that some of the policies go
into effect immediately. It's a PITA but there is a way around
most of them. That said, be careful. It's not that difficult to
put policies in place that prevent you from going back and
disabling them.

If I understand correctly you're trying to enable the following
policies in the User Configuration\Windows Components\Windows
Explorer section:

Hide these specified Drives in My Computer
Prevent Access to Drives from My Computer

As you've found out, as soon as you enable these two policies,
you won't have access to the C:\Windows\System32\GroupPolicy
folder. Here's a workaround that you might want to try:

While logged on to the computer with your account (or one that is
a member of the Administrators group) create two new shortcuts on
your desktop. One should point to C:\Windows\System32\gpedit.msc
and the other should point to C:\Windows\System32.
What you've got is a shortcut that will launch the Local Group
Policy editor and one that will open the folder one level above
the GroupPolicy folder whose access permissions you need to
change.

Double click the System32 shortcut.
Right click on the GroupPolicy folder and select Properties.
You can close the System32 folder but leave the Properties page
displayed.
Double click your Local Group Policy editor shortcut.
Make your changes and close the editor.
Go back to the GroupPolicy folder's Properties page.
Click on the Security tab.
Click on the Add button.
In "Select Users and Groups" click Advanced.
Click Find Now.
Click on Administrators to highlight that group.
Click OK twice.
Back on the GroupPolicy folder's Properties page remove all the
check marks in the Allow column for the Administrators group. Put
a check mark in the box next to Deny Read.
Click OK.
Log off with your account and log back on to make sure the
policies haven't been applied.
Log on with a limited account to see if the policies have been
applied.

Keep in mind that in order to regain access to the group policy
editor you will have to go back and remove the Deny Read
permission for the Administrator account. All you've got to do is
double click your System32 shortcut and remove the Administrators
group from the GroupPolicy folders Security page. You should now
be able to launch the Group Policy editor to adjust your policy
settings. Remember to reset your Deny Read permission if you've
left any policies in place.

Post back if you have any questions on this procedure.

Nepatsfan

"Tad Menert" <menertta@webaccess.net> wrote in message
news:e2cc3$4297424f$4e41869$18351@ALLTEL.NET...
> Thanks for your help. I'm getting somewhere, but sometimes it's
> a vicious circle, as when I try to remove my computer and deny
> the administrator read permissions I might force myself into a
> blind corner :)
>
> It was a great help, though
>
> Tad
>
>
> two options:
>>
>> Here's Microsoft's procedure:
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B293655
>>
>> Here's a method that uses NTFS permissions:
>>
>> http://www.theeldergeek.com/gp07.htm
>>
>> The second one is very simple to implement. You set up your
>> group policy and then set the permissions on the
>> C:\Windows\System32\GroupPolicy folder to deny read
>> permissions for the Administrators group.
>>
>> Good luck
>>
>> Nepatsfan
>>
>
>

Relevant Pages

  • Re: setting permissions so restricted users cant change backkground/ screen savers, or create passwo
    ... > niteowl wrote: ... >>>Right click on each of these policies and select Enable. ... >>>You might want to become familiar with Local Group Policy. ... NTFS permissions on the Windows\System32\Group Policy folder to ...
    (microsoft.public.windowsxp.general)
  • Re: which policy resets secuirty permisions on files/directories?
    ... > computer reboots or refreshes the policies, ... has set these permissions on that folder or possibly a parent folder. ... think the problem is in the local group policy on the computer. ...
    (microsoft.public.win2000.security)
  • Re: user and administrator policies
    ... All you really need to do is give "administrators" deny for apply. ... Be sure to install Group Policy Management Console on your domain controller ... FYI Windows 2003 and XP Pro can use Software Restriction Policies managed ... > administrators mchs\administrators deny group policy ...
    (microsoft.public.win2000.security)
  • Re: GPO Processing Order and OUs
    ... Both those things need to be in a "good state" for a user to apply a Group Policy. ... From the Ad structure and its parent OUs, a user or computer knows what policies to apply. ... In order to apply the policies, target objects need appropriate permissions to the GPs. ... It therefore applies to all objects (even to those objects that reside in the "Users" and "Computers" default containers you cannot link GPs to!). ...
    (microsoft.public.win2000.group_policy)
  • Re: terminal Services Policies not working
    ... I have a server that is only being used as a for Terminal Server. ... Administrators would need full desktops. ... We then are trying to set up the Policies from the Group Policy Object ... Group Policy Editor for Domains also have some policies for the Terminal ...
    (microsoft.public.windows.terminal_services)