Re: Lock out Group Policy Editor.

It is never possible to completely lock-out a user who has "Domain Admin"
rights, because by design, they have total access to the domain controllers
of that domain - and therefore access to anything subject to the security of
that domain.

Having said that, it is possible to restrict access to GPMC and the rights
to create new GPOs. Open the GPMC, select the Group Policy Objects
container, then in the right pane of the console, click the Delegation tab.
You will see the Groups and Users who have rights to greate GPOs in the
domain. Click the Add button to add accounts to this right. Click the
Properties button to view or change the properties of accounts who have
rights to GPOs.

Under the Group Policy Objects container are all the policies in the domain.
Select any of these and click the Delegation tab in the right pane to modify
permissions for any specific policy. Clicking on the Advanced button allows
you to modify or view the specific ACLs and ACEs for that policy.

There is also a Group Policy Creator Owners group in the Users container
that assigns rights to modify group policy for the domain

-ds


"Roger" <n@xxxxx> wrote in message
news:OwCgmxHRGHA.4900@xxxxxxxxxxxxxxxxxxxxxxx
I want to lock the GPE so that only a single, specific administrative user
has access to it. In addition, i want to prevent any other adminstrative
user (either already existing or new) from being able to break into the
GPE. This is for a single computer running XP pro with SP2 (no domain).

If this is not possible, is there a way to "freeze" the list of users with
the "take ownership" privilege so that it cannot be changed?

Thanks

Roger


.