Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

gpedit & user access & domains.

Posted on 2004-04-22
5
Medium Priority
?
710 Views
Last Modified: 2007-12-19
hi ...ok
Setup= server 2003, exchange 2003, clients XP pro(40 no)

all users need rights to do what they like on there machine (ie install printers, install software), yes i know, i have good users and we only clamp down on naughty people.

I setup each XP Pro's "local users and Groups" administrators group with "domain users". this allows anyone who logs on has local admin rights to that client PC.  Domain permissions and security access right are governed by server 2003 setting and over rule client settings. (confused yet)

What i would love to do is make GPEDIT.msc not accessable on client machines, as this is a great way of restriction a few little things (even though by doing regedit, seems to over ride some gpedit setting ie wallpaper). But as people are set up as local admin they have access to it. If i set people who log on to a client PC as say 'power users' then they cant install programs.
Do you see my problem?

if i need to explain further please ask.


Si..
0
Comment
Question by:SIMONBRATT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 1000 total points
ID: 10887599
Hmm..interesting dilema.

Try this as a suggestion...

Create a batch file - call it win.cmd
-------win.cmd---------
@net send %computername% "The Group Policy console is not accessible.  Contact your administrator."
-----------------------

Now,
Start->Run->Regedit
Navigate to Hkey_Classes_Root\MSCFile\Shell\Open\Command
In the right pane, you could change the Default line to read:
cmd /c %systemroot%\system32\win.cmd

Now, when they tried to run it, they'd get this message at their console instead...
Although this isn't a 'real' restriction, it might do just as well.

Reason to create the file %systemroot%\system32\win.cmd is to make it a bit obscure.  If they're registry-savvy, they might search for your "access denied" message.  It's much more difficult to search for the blank screen that will be displayed for a few miliseconds...they have no reference to what is running the block.

That's the best I can come up with since you're giving them admin rights.
Alternatively, you may be able to disable system restore service (start/run/services.msc) and rename/delete gpedit.msc and gpedit.dll (the dll is in both %systemroot%\system32 & %systemroot%\system32\dllcache)

Good luck!
0
 

Author Comment

by:SIMONBRATT
ID: 10889543
hmm interesting, nice idea.
Would be nice to have an official (ie proper) way of doing it, for continuity. ie password gpedit
0
 

Author Comment

by:SIMONBRATT
ID: 10889561
although im not a fan of passwords, usually causes problems.
Whats really needed is to be able to make another 'Group' or copy the admin Group and then remove items from it
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question