Local Group Policy question (WinXP Pro)

Status
Not open for further replies.
mikescorpio81

mikescorpio81

Posts: 292   +0
Hi all,

I am currently locking down a PC for a client of mine. PC is used as a DMZ, used by the public only to access the internet. PC runs Windows XP Pro SP2.

While configuring the Local Group Policy through gpedit.msc (or through mmc - add/remove snap-in ...) I realised that while applying policies at the "User" level, the administrator account also inherits these policies. Sames goes if applied at the "Computer" level, but that goes without saying.

Luckily I was not applying them directly to the PC in question, rather applying local policies through a VMware session on my laptop, just in case something like this happened.

My question is how can I apply strong Local Group Policies on a PC WITHOUT the administrator account inheriting them?

I tried setting "Deny" permissions on the C:\WINDOWS\System32\GroupPolicy folder, but to make changes to GPO's you need access to this folder. I did work though! :)

I should also say that this PC is not joined to the Domain and is on a separate subnet to all other PC's.

Any help would be apreciated.

Cheers
 
You could use the deny trick and create a special user with "allow" permissions to edit the policy. And then use the Run As feature to do the editing when necessary.
 
Thanks for the advise. A dummy account may be what is required for this.

Wouldn't mind a registry tweak though! :)



EDIT: It's getting harder to do this ...

To apply group policies through gpedit.msc you must be an administrator. To then set "Deny" permissions over the GroupPolicy folder you need rights to actually get there ... something I took away when applying the strong policy!

I found this article: http://articles.techrepublic.com.com/5100-6346_11-6025530.html

I will try this and update you all once complete.

Cheers
 
"Log off and then log on as each of the other users, in turn, to whom you want to apply the restrictions."

Might as well just configure the machine under every user. Why mess with the policy? :)
 
Also do Local Security Policy much more powerful there are holes in there. Like the Guest account you be renamed to something completely different and it should also be disabled. Tighten up the ship you got there buddy. gpedit.msc more for setting up roles. Local Security Policy under admin tools is where to start.
 
The policy must be tight. Users should not be able to access anything other than Internet Explorer.
Everything else must be disabled or unreachable. I'm not bad at doing this, but more for Domains (OU's) rather than single PC's. Same logic though, but the administrator account if affected also.

I'm making progres though, my earlier post with the link does the trick. Time to do it live now :)
 
Status
Not open for further replies.

Similar threads

A
Windows 365 Boot: a paid subscription to boot your local PC into your Microsoft cloud PC
Replies
15
Views
715
Sir Sparkles
Sir Sparkles
A
The FCC is preparing to restore net neutrality in the US
Replies
13
Views
639
Gezzer
G
Daniel Sims
Third party security group patches a Windows vulnerability Microsoft couldn't, yet again
Replies
20
Views
1K
waclark
W

Latest posts

Back