Local Group Policy question (WinXP Pro)

By mikescorpio81 ยท 6 replies
Jun 14, 2007
  1. Hi all,

    I am currently locking down a PC for a client of mine. PC is used as a DMZ, used by the public only to access the internet. PC runs Windows XP Pro SP2.

    While configuring the Local Group Policy through gpedit.msc (or through mmc - add/remove snap-in ...) I realised that while applying policies at the "User" level, the administrator account also inherits these policies. Sames goes if applied at the "Computer" level, but that goes without saying.

    Luckily I was not applying them directly to the PC in question, rather applying local policies through a VMware session on my laptop, just in case something like this happened.

    My question is how can I apply strong Local Group Policies on a PC WITHOUT the administrator account inheriting them?

    I tried setting "Deny" permissions on the C:\WINDOWS\System32\GroupPolicy folder, but to make changes to GPO's you need access to this folder. I did work though! :)

    I should also say that this PC is not joined to the Domain and is on a separate subnet to all other PC's.

    Any help would be apreciated.

  2. CCT

    CCT TS Evangelist Posts: 2,653   +6

  3. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    You could use the deny trick and create a special user with "allow" permissions to edit the policy. And then use the Run As feature to do the editing when necessary.
  4. mikescorpio81

    mikescorpio81 TS Rookie Topic Starter Posts: 293

    Thanks for the advise. A dummy account may be what is required for this.

    Wouldn't mind a registry tweak though! :)

    EDIT: It's getting harder to do this ...

    To apply group policies through gpedit.msc you must be an administrator. To then set "Deny" permissions over the GroupPolicy folder you need rights to actually get there ... something I took away when applying the strong policy!

    I found this article: http://articles.techrepublic.com.com/5100-6346_11-6025530.html

    I will try this and update you all once complete.

  5. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    "Log off and then log on as each of the other users, in turn, to whom you want to apply the restrictions."

    Might as well just configure the machine under every user. Why mess with the policy? :)
  6. tipstir

    tipstir TS Ambassador Posts: 2,477   +126

    Also do Local Security Policy much more powerful there are holes in there. Like the Guest account you be renamed to something completely different and it should also be disabled. Tighten up the ship you got there buddy. gpedit.msc more for setting up roles. Local Security Policy under admin tools is where to start.
  7. mikescorpio81

    mikescorpio81 TS Rookie Topic Starter Posts: 293

    The policy must be tight. Users should not be able to access anything other than Internet Explorer.
    Everything else must be disabled or unreachable. I'm not bad at doing this, but more for Domains (OU's) rather than single PC's. Same logic though, but the administrator account if affected also.

    I'm making progres though, my earlier post with the link does the trick. Time to do it live now :)
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...