Re: Group policy problem (XP alone and XP with NT server)
From: Nepatsfan (nepatsfan_at_SBXXXIX.com)
Date: Fri, 27 May 2005 15:51:12 -0400
I see you've discovered the fact that some of the policies go
into effect immediately. It's a PITA but there is a way around
most of them. That said, be careful. It's not that difficult to
put policies in place that prevent you from going back and
If I understand correctly you're trying to enable the following
policies in the User Configuration\Windows Components\Windows
Hide these specified Drives in My Computer
Prevent Access to Drives from My Computer
As you've found out, as soon as you enable these two policies,
you won't have access to the C:\Windows\System32\GroupPolicy
folder. Here's a workaround that you might want to try:
While logged on to the computer with your account (or one that is
a member of the Administrators group) create two new shortcuts on
your desktop. One should point to C:\Windows\System32\gpedit.msc
and the other should point to C:\Windows\System32.
What you've got is a shortcut that will launch the Local Group
Policy editor and one that will open the folder one level above
the GroupPolicy folder whose access permissions you need to
Double click the System32 shortcut.
Right click on the GroupPolicy folder and select Properties.
You can close the System32 folder but leave the Properties page
Double click your Local Group Policy editor shortcut.
Make your changes and close the editor.
Go back to the GroupPolicy folder's Properties page.
Click on the Security tab.
Click on the Add button.
In "Select Users and Groups" click Advanced.
Click Find Now.
Click on Administrators to highlight that group.
Click OK twice.
Back on the GroupPolicy folder's Properties page remove all the
check marks in the Allow column for the Administrators group. Put
a check mark in the box next to Deny Read.
Log off with your account and log back on to make sure the
policies haven't been applied.
Log on with a limited account to see if the policies have been
Keep in mind that in order to regain access to the group policy
editor you will have to go back and remove the Deny Read
permission for the Administrator account. All you've got to do is
double click your System32 shortcut and remove the Administrators
group from the GroupPolicy folders Security page. You should now
be able to launch the Group Policy editor to adjust your policy
settings. Remember to reset your Deny Read permission if you've
left any policies in place.
Post back if you have any questions on this procedure.
"Tad Menert" <email@example.com> wrote in message
> Thanks for your help. I'm getting somewhere, but sometimes it's
> a vicious circle, as when I try to remove my computer and deny
> the administrator read permissions I might force myself into a
> blind corner :)
> It was a great help, though
> two options:
>> Here's Microsoft's procedure:
>> Here's a method that uses NTFS permissions:
>> The second one is very simple to implement. You set up your
>> group policy and then set the permissions on the
>> C:\Windows\System32\GroupPolicy folder to deny read
>> permissions for the Administrators group.
>> Good luck