Re: Lock out Group Policy Editor.
- From: Roger <n@xxxxx>
- Date: Mon, 13 Mar 2006 07:48:22 -0800
"Dave Shaw [MVP]" <dhshaw@xxxxxxx> wrote in
news:eU7#iTURGHA.5296@xxxxxxxxxxxxxxxxxxxx:
It is never possible to completely lock-out a user who has "Domain
Admin" rights, because by design, they have total access to the domain
controllers of that domain - and therefore access to anything subject
to the security of that domain.
Having said that, it is possible to restrict access to GPMC and the
rights to create new GPOs. Open the GPMC, select the Group Policy
Objects container, then in the right pane of the console, click the
Delegation tab. You will see the Groups and Users who have rights to
greate GPOs in the domain. Click the Add button to add accounts to
this right. Click the Properties button to view or change the
properties of accounts who have rights to GPOs.
Under the Group Policy Objects container are all the policies in the
domain. Select any of these and click the Delegation tab in the right
pane to modify permissions for any specific policy. Clicking on the
Advanced button allows you to modify or view the specific ACLs and
ACEs for that policy.
There is also a Group Policy Creator Owners group in the Users
container that assigns rights to modify group policy for the domain
-ds
"Roger" <n@xxxxx> wrote in message
news:OwCgmxHRGHA.4900@xxxxxxxxxxxxxxxxxxxxxxx
I want to lock the GPE so that only a single, specific administrative
user
has access to it. In addition, i want to prevent any other
adminstrative user (either already existing or new) from being able
to break into the GPE. This is for a single computer running XP pro
with SP2 (no domain).
If this is not possible, is there a way to "freeze" the list of users
with the "take ownership" privilege so that it cannot be changed?
Thanks
Roger
Ok, two new questions:
1: Since the computer is NOT part of a domain, is what you said with
the rights delegation still true?
2: I could not find a "Group Policy Objects" container. Please explain
what GPMC is and how I would access it. I know about getting into the
group policy editor, which i did go into, but I did not find anything
like what you described.
Thanks
Roger
.
- References:
- Lock out Group Policy Editor.
- From: Roger
- Re: Lock out Group Policy Editor.
- From: Dave Shaw [MVP]
- Lock out Group Policy Editor.
- Prev by Date: Re: Redirection of folder troubles
- Next by Date: Re: Site to Zone Assignment List
- Previous by thread: Re: Lock out Group Policy Editor.
- Next by thread: GPO to disable user adding Administrative Tools to the Start menu
- Index(es):
