Solved

gpedit & user access & domains.

Posted on 2004-04-22
5
680 Views
Last Modified: 2007-12-19
hi ...ok
Setup= server 2003, exchange 2003, clients XP pro(40 no)

all users need rights to do what they like on there machine (ie install printers, install software), yes i know, i have good users and we only clamp down on naughty people.

I setup each XP Pro's "local users and Groups" administrators group with "domain users". this allows anyone who logs on has local admin rights to that client PC.  Domain permissions and security access right are governed by server 2003 setting and over rule client settings. (confused yet)

What i would love to do is make GPEDIT.msc not accessable on client machines, as this is a great way of restriction a few little things (even though by doing regedit, seems to over ride some gpedit setting ie wallpaper). But as people are set up as local admin they have access to it. If i set people who log on to a client PC as say 'power users' then they cant install programs.
Do you see my problem?

if i need to explain further please ask.


Si..
0
Comment
Question by:SIMONBRATT
  • 2
5 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 250 total points
ID: 10887599
Hmm..interesting dilema.

Try this as a suggestion...

Create a batch file - call it win.cmd
-------win.cmd---------
@net send %computername% "The Group Policy console is not accessible.  Contact your administrator."
-----------------------

Now,
Start->Run->Regedit
Navigate to Hkey_Classes_Root\MSCFile\Shell\Open\Command
In the right pane, you could change the Default line to read:
cmd /c %systemroot%\system32\win.cmd

Now, when they tried to run it, they'd get this message at their console instead...
Although this isn't a 'real' restriction, it might do just as well.

Reason to create the file %systemroot%\system32\win.cmd is to make it a bit obscure.  If they're registry-savvy, they might search for your "access denied" message.  It's much more difficult to search for the blank screen that will be displayed for a few miliseconds...they have no reference to what is running the block.

That's the best I can come up with since you're giving them admin rights.
Alternatively, you may be able to disable system restore service (start/run/services.msc) and rename/delete gpedit.msc and gpedit.dll (the dll is in both %systemroot%\system32 & %systemroot%\system32\dllcache)

Good luck!
0
 

Author Comment

by:SIMONBRATT
ID: 10889543
hmm interesting, nice idea.
Would be nice to have an official (ie proper) way of doing it, for continuity. ie password gpedit
0
 

Author Comment

by:SIMONBRATT
ID: 10889561
although im not a fan of passwords, usually causes problems.
Whats really needed is to be able to make another 'Group' or copy the admin Group and then remove items from it
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Old version of iTunes download 4 129
Looking to disable remote computers 6 78
Copy and Paste Windows 7 Files Not Working 6 103
Map drive keeps removing itself 9 85
Most of the time we are in fix when all of sudden our systems behave weirdly.  Such problems cost time and effort... so it's best to take some preventive actions so that we can avoid such issues or overcome such problems more easily. Preventive M…
Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question