Re: Admin templates in group policy

---

• From: BertieBigBollox@xxxxxxxxx
• Date: 5 Jul 2006 04:02:32 -0700

---

Mark Heitbrink [MVP] wrote:

Hi,

BertieBigBollox@xxxxxxxxx schrieb:

Hmmm. Luckily, I'm in the situation where we're talking about a
standalone Windows 2000 pro machine (so no active directory). Also,
I've used gpedit.msc to edit the policies at the moment.
Do I still need to do as you say so that admin user is unnaffected by
this?

I would recommend it, because it´s easier.
gpedit can´t differ between users, it´s the local policy of
the system you are working on, so it is effecting all of them.

Your problem:
- all your settings are effecting the admin aswell
- you need to deny read permissions on the ..user\registry.pol
file, so he can´t import the settings
- but because he es not allowed to read he even can´t edit it ...

Then you can create a secound Admin Account _prior_ working with gpedit.
- make your settings and deny read to your Administrator

After that your problem is to make changes ...
- probably your alternate admin is no longer allowed to use MMC
- if you create a 3rd admin account this one is restricted aswell
- if you give read permission back to the admin he is restricted aswell
:-(

That´s why I would recommend to start from scratch and use poledit.exe

Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
extend GPO: www.desktopstandard.com
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.

Got this working now. Created another admin user and edited the
permissions on the two group policy files in \winnt\system32\Group
Policy to deny this new user access.

When this new admin user logs in it works fine with no policies applied.

.

---

• References:
  • Admin templates in group policy
    • From: BertieBigBollox
  • Re: Admin templates in group policy
    • From: Mark Heitbrink [MVP]
  • Re: Admin templates in group policy
    • From: BertieBigBollox
  • Re: Admin templates in group policy
    • From: Mark Heitbrink [MVP]

• Prev by Date: Re: Admin templates in group policy
• Next by Date: Re: Include All Network Paths (UNCs)
• Previous by thread: Re: Admin templates in group policy
• Next by thread: Include All Network Paths (UNCs)
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Group Policy Issues ... the default policies were corrupt. ... Today however I am able to view the GPOs, ... > Controller Policy' is fine, I can edit that one, but any others I cannot ... > Even if I login as Administrator on a PDC, ... (microsoft.public.windows.server.active_directory) Re: Security Update 2006-002 Released ... Any admin user can install software without being prompted ... /Applications folder is wide open to malware exploits. ... (comp.sys.mac.system) Re: Admin templates in group policy ... I've used gpedit.msc to edit the policies at the moment. ... Do I still need to do as you say so that admin user is unnaffected by ... if you give read permission back to the admin he is restricted aswell ... when I log in as pauladmin no policies will be applied. ... (microsoft.public.win2000.group_policy) Re: Administators group confusion ... your suggestion to explicitly start notepad as the ... I normally run as a non admin user on the machine and only escalate to the ... UAC, so my only way to acheive this is to disable UAC? ... (microsoft.public.windows.vista.security) Re: Adding programs to "limited" account users ... E.g. MS Works calendar is ok for my admin user, ... >an admin account in order to install. ... (microsoft.public.windowsxp.security_admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.group_policy  > 2006-07