Re: Stand-alone (non-networked) computer - restrict one account but not another

Hi Tim

There's no supported method for achieving this. That said, you can edit the policy when logged in as an admin and then deny the admin read permissions on %windir%\system32\GroupPolicy.

When the admin logs in, the local policy won't apply to them because they can't read it. When the user logs in, they will still get the policy. The catch here is that once read permissions are denied for the admin, the admin can't edit the policy any more. You have to add read permissions back to be able to edit. The danger is then that the policy may apply while you're in the middle of editing and depending on the settings, the admin account may be restricted to a point where they can no longer function.

As I said, this is NOT supported. You stand a good chance of getting yourself into trouble and having to flatten the machine.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@xxxxxxxxxxxxxxxxxxxx

Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
"Tim Rude" <timrude@xxxxxxxxxxxxxxxxxx> wrote in message news:e66$IZ5EIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
I've got a stand-alone (non-networked) Windows 2000 Pro machine with
only two accounts - one Administrator (with a password) and one User (no
password). Windows is set to auto-login to the User account at boot up.

I want to lock down the User account to disable stuff like the Control
Panel, Display settings, Taskbar settings, etc. However, I want to leave
these things enabled when logged in under the Administrator account.

Using the Group Policy editor, I can disable what I want but it affects
both accounts. How can I selectively apply the Group Policy settings to
only the User account?

TIA

--
Tim Rude

timrude@xxxxxxxxxxxxxxxxxx
(remove NOSPAM. for correct email address)



.

Relevant Pages

  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: Policy enforcement- Admin accounts
    ... Then in my test user group created a new gpo with a a different password length and as long as i block policy inheritance on the OU It does what i am talking about by allowing a stronger password policy for the OU. ... I can see why you wouldn't want to block policy inheritance for alot of users but for one ou of admin users i don't see the problem. ... account not being able to be locked. ...
    (Security-Basics)
  • Re: Local Account & Password Policy Options Greyed out for Admins?
    ... Reboot the computer and you should be able to change password policy in Local Security Policy. ... I have never seen or heard of a user having to change their password if their user account is configured for password never expires. ... Anyway, I looked at the laptop today, figuring I'd just use the Group Policy Editor to change to password expiration and lockout policies. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Securing Microsoft Windows 2000 Terminal Services with Terminal S ervices Advanced Client (TSAC)
    ... you can implement a local machine policy ... Remove the main admin account from the Users group ... that only allows certain people to logon locally to the Terminal Server, ...
    (Focus-Microsoft)
  • Re: administrator password not accepted at boot Windows XP Pro SP2
    ... unfortunately I only have the admin account on the PC; ... If you only have the one user account (and now you can see why having only ... one user account is foolish, so make an extra one after you get into the ...
    (microsoft.public.windowsxp.general)