Solved

gpedit & user access & domains.

Posted on 2004-04-22
5
687 Views
Last Modified: 2007-12-19
hi ...ok
Setup= server 2003, exchange 2003, clients XP pro(40 no)

all users need rights to do what they like on there machine (ie install printers, install software), yes i know, i have good users and we only clamp down on naughty people.

I setup each XP Pro's "local users and Groups" administrators group with "domain users". this allows anyone who logs on has local admin rights to that client PC.  Domain permissions and security access right are governed by server 2003 setting and over rule client settings. (confused yet)

What i would love to do is make GPEDIT.msc not accessable on client machines, as this is a great way of restriction a few little things (even though by doing regedit, seems to over ride some gpedit setting ie wallpaper). But as people are set up as local admin they have access to it. If i set people who log on to a client PC as say 'power users' then they cant install programs.
Do you see my problem?

if i need to explain further please ask.


Si..
0
Comment
Question by:SIMONBRATT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 250 total points
ID: 10887599
Hmm..interesting dilema.

Try this as a suggestion...

Create a batch file - call it win.cmd
-------win.cmd---------
@net send %computername% "The Group Policy console is not accessible.  Contact your administrator."
-----------------------

Now,
Start->Run->Regedit
Navigate to Hkey_Classes_Root\MSCFile\Shell\Open\Command
In the right pane, you could change the Default line to read:
cmd /c %systemroot%\system32\win.cmd

Now, when they tried to run it, they'd get this message at their console instead...
Although this isn't a 'real' restriction, it might do just as well.

Reason to create the file %systemroot%\system32\win.cmd is to make it a bit obscure.  If they're registry-savvy, they might search for your "access denied" message.  It's much more difficult to search for the blank screen that will be displayed for a few miliseconds...they have no reference to what is running the block.

That's the best I can come up with since you're giving them admin rights.
Alternatively, you may be able to disable system restore service (start/run/services.msc) and rename/delete gpedit.msc and gpedit.dll (the dll is in both %systemroot%\system32 & %systemroot%\system32\dllcache)

Good luck!
0
 

Author Comment

by:SIMONBRATT
ID: 10889543
hmm interesting, nice idea.
Would be nice to have an official (ie proper) way of doing it, for continuity. ie password gpedit
0
 

Author Comment

by:SIMONBRATT
ID: 10889561
although im not a fan of passwords, usually causes problems.
Whats really needed is to be able to make another 'Group' or copy the admin Group and then remove items from it
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
cPanel is a Unix based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site. cPanel utilizes a 3 tier structure that provides functionality for administrators, rese…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question