Solved

gpedit & user access & domains.

Posted on 2004-04-22
5
661 Views
Last Modified: 2007-12-19
hi ...ok
Setup= server 2003, exchange 2003, clients XP pro(40 no)

all users need rights to do what they like on there machine (ie install printers, install software), yes i know, i have good users and we only clamp down on naughty people.

I setup each XP Pro's "local users and Groups" administrators group with "domain users". this allows anyone who logs on has local admin rights to that client PC.  Domain permissions and security access right are governed by server 2003 setting and over rule client settings. (confused yet)

What i would love to do is make GPEDIT.msc not accessable on client machines, as this is a great way of restriction a few little things (even though by doing regedit, seems to over ride some gpedit setting ie wallpaper). But as people are set up as local admin they have access to it. If i set people who log on to a client PC as say 'power users' then they cant install programs.
Do you see my problem?

if i need to explain further please ask.


Si..
0
Comment
Question by:SIMONBRATT
  • 2
5 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 250 total points
Comment Utility
Hmm..interesting dilema.

Try this as a suggestion...

Create a batch file - call it win.cmd
-------win.cmd---------
@net send %computername% "The Group Policy console is not accessible.  Contact your administrator."
-----------------------

Now,
Start->Run->Regedit
Navigate to Hkey_Classes_Root\MSCFile\Shell\Open\Command
In the right pane, you could change the Default line to read:
cmd /c %systemroot%\system32\win.cmd

Now, when they tried to run it, they'd get this message at their console instead...
Although this isn't a 'real' restriction, it might do just as well.

Reason to create the file %systemroot%\system32\win.cmd is to make it a bit obscure.  If they're registry-savvy, they might search for your "access denied" message.  It's much more difficult to search for the blank screen that will be displayed for a few miliseconds...they have no reference to what is running the block.

That's the best I can come up with since you're giving them admin rights.
Alternatively, you may be able to disable system restore service (start/run/services.msc) and rename/delete gpedit.msc and gpedit.dll (the dll is in both %systemroot%\system32 & %systemroot%\system32\dllcache)

Good luck!
0
 

Author Comment

by:SIMONBRATT
Comment Utility
hmm interesting, nice idea.
Would be nice to have an official (ie proper) way of doing it, for continuity. ie password gpedit
0
 

Author Comment

by:SIMONBRATT
Comment Utility
although im not a fan of passwords, usually causes problems.
Whats really needed is to be able to make another 'Group' or copy the admin Group and then remove items from it
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now