Solved

gpedit & user access & domains.

Posted on 2004-04-22
5
696 Views
Last Modified: 2007-12-19
hi ...ok
Setup= server 2003, exchange 2003, clients XP pro(40 no)

all users need rights to do what they like on there machine (ie install printers, install software), yes i know, i have good users and we only clamp down on naughty people.

I setup each XP Pro's "local users and Groups" administrators group with "domain users". this allows anyone who logs on has local admin rights to that client PC.  Domain permissions and security access right are governed by server 2003 setting and over rule client settings. (confused yet)

What i would love to do is make GPEDIT.msc not accessable on client machines, as this is a great way of restriction a few little things (even though by doing regedit, seems to over ride some gpedit setting ie wallpaper). But as people are set up as local admin they have access to it. If i set people who log on to a client PC as say 'power users' then they cant install programs.
Do you see my problem?

if i need to explain further please ask.


Si..
0
Comment
Question by:SIMONBRATT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 250 total points
ID: 10887599
Hmm..interesting dilema.

Try this as a suggestion...

Create a batch file - call it win.cmd
-------win.cmd---------
@net send %computername% "The Group Policy console is not accessible.  Contact your administrator."
-----------------------

Now,
Start->Run->Regedit
Navigate to Hkey_Classes_Root\MSCFile\Shell\Open\Command
In the right pane, you could change the Default line to read:
cmd /c %systemroot%\system32\win.cmd

Now, when they tried to run it, they'd get this message at their console instead...
Although this isn't a 'real' restriction, it might do just as well.

Reason to create the file %systemroot%\system32\win.cmd is to make it a bit obscure.  If they're registry-savvy, they might search for your "access denied" message.  It's much more difficult to search for the blank screen that will be displayed for a few miliseconds...they have no reference to what is running the block.

That's the best I can come up with since you're giving them admin rights.
Alternatively, you may be able to disable system restore service (start/run/services.msc) and rename/delete gpedit.msc and gpedit.dll (the dll is in both %systemroot%\system32 & %systemroot%\system32\dllcache)

Good luck!
0
 

Author Comment

by:SIMONBRATT
ID: 10889543
hmm interesting, nice idea.
Would be nice to have an official (ie proper) way of doing it, for continuity. ie password gpedit
0
 

Author Comment

by:SIMONBRATT
ID: 10889561
although im not a fan of passwords, usually causes problems.
Whats really needed is to be able to make another 'Group' or copy the admin Group and then remove items from it
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question