Go Premium for a chance to win a PS4. Enter to Win


group policy question

Posted on 2006-06-22
Medium Priority
Last Modified: 2010-04-13
Hi all,
Not had much experience using group policy and have been asked to do this
on a W2K network.

create a new user with admin rights
restrict this new user from accessing anyother users files
from changing the desktop background
from running any exe file
from deleting printers
from accessing the control panel
hide the C: drive

change firewall settings so users can't download any chat programs
user should also not be able to download games from internet


I editied the default domain policy and can achieve most of what's above, however i notice
it also applies to the domain controller. How can i do this without restricting the domain controller itself, just
the workstations?

The bit about create a new user with admin rights is a bit confusing too! Can i apply group policy settings on a per user basis like this?

Question by:dlloyd37
  • 6
  • 3
  • 2
  • +1
LVL 48

Assisted Solution

Jay_Jay70 earned 1000 total points
ID: 16958178
no no no no no! lesson one in GPO... do not touch the default domain policy ever!!!! create a new polivy located on the OU within which the user account resides! right click on the OU - properties - Group Policy - Create New!

there you can put your settings!!

use NTFS permissions to stop him accessing desired folders

to give him admin priviliges - right click my computer on the desired machine - manage - local users and groups - groups - administrators - properties - members - add
LVL 43

Accepted Solution

Steve Knight earned 1000 total points
ID: 16958227
If they are an admin then one way or another they can override this by running .REG scripts, amending policy locally etc.  If you restrict all EXE's that is going to cause untold issues, the user could also just rename a file from EXE to COM or possible even CMD or SCR et.c and run it too.  You can specify a list of EXEs or other programs they can't run though, this doesn't stop them renaming a file though.

You need to set NTFS permissions on wherever these files are to stop them accessing them, if they are non the same machine you can't if they are an admin as they can take ownership and give themselves rights.

Desktop background, control panel etc. is easy to change in policy but again can be overrideen by an admin

I think you need to make them a normal non-admin for starters.

GPO is based on objects in OU's but you can either put the user in their own OU or create a GPO on an OU with multiple users then change in the security of the GPO which users / groups it applies to (the apply entry in the security).

Don't change the default domain policy as it effects everything by default.  Create a seperate OU for any PC's / Users you want to effect.

Be careful when creating fairly drastic policies like this, especically at the domain level.

LVL 43

Expert Comment

by:Steve Knight
ID: 16958234
(crossed in the post)
[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

LVL 16

Expert Comment

by:Kevin Hays
ID: 16959125
My only question is if you want to have these settings then why set them as an admin?  

Along with what the other two post suggested, you very rarely touch the default domain policy unless you want a domain wide policy in effect such as password requirements, thresholds, etc.....

You can also set a software restriction policy in a new GPO that is linked to a OU also.  Just move the computer that is going to be applied the policy into that OU and you can set the policy to allow only programs you specify.  You can specifiy programs based on the hash of the .exe or the path.  I usually go the hash method so even if they are clever and rename ore move the exe and folder it still will not run.

As for downloading stuff, your best bet would be to implement a proxy server and create groups with different levels of access, content filtering, downloading and such.

PS:  You can also have it apply to administrators in the software restriction policy as well if you wish.  You will have to do some testing though to make sure all of your required programs run correctly if you go this method,but it is well worth the look into though for that aspect of your question.

For the other questions, i'm right with the other two experts here on what they suggested.


Author Comment

ID: 16961731
Thanks all for your help so far on this.....

As i said, i'm not great with GPO's but am becoming more familiar with it.

When i saw the spec saying create a new user with admin rights my immediate thought
was why! Isn't this going to just make the task even harder! To be honest i have to this
task tommorow live on a production system in a college as part of a test. I will ask why
they want the user to have admin rights.....maybe they need local access to their client
workstations in order to run a specific application?

Now, i have been testing it on my test network at home, except this is W2K3.  As far
as i know, no seperate OU's are present in AD.....just the standard ones created at installation.

I can create GPO's only at the domain level and on the domain controller container in AD. I can't create a new GPO
on the computers container or the users container? I have created a new OU on my test network and i can create a
new policy on that. I have also moved the client computers on my test network into this container and will apply the policy
settings here on that OU. Is it ok just to move Client computers from the default computer container to a seperate OU?
As i said i have tested it on my test network without issue, but not sure what will happen on a bigger windows 2000 system?

Can the same apply if i move certain users to a newly created OU and apply a GPO to that OU to restrict users?

Thnx again

LVL 43

Expert Comment

by:Steve Knight
ID: 16963044
The users and computers containers are default ones that you can't apply policies to as you found you must create OU's.  I generall create site or country top leve OU's and then functions such as Computers, Groups, Department names etc. as needed but it depends upon the specific requiements .

Moving computers and users to different OU's is the whole point of AD -- you can structure then to make it easier to administer and to give out different policies etc so yes you are correct in that.

LVL 48

Expert Comment

ID: 16964709
if you saw the OU structures running in the half the sites i have seen you would fall over yourself :) very very very common practice to segment your AD and apply security
LVL 43

Expert Comment

by:Steve Knight
ID: 16964774
Always amusing when you go to a relatively massive site with all the computers in computers, users in "built in" or "users" container and all the policies in default domain.... normally been put in by an untrained "consultant" of course :-( but then it provides work to go in and pick up the pieces so I don't complain :-)

LVL 48

Expert Comment

ID: 16964795
lol $$$$ makes it all good, bring it on


Author Comment

ID: 16967617
Ok, again thnx for your comments i think i know how i'm gonna approach this now.

Create the user and stick him/her in a new OU and then create a new GPO on that OU.

I use the no overide option?

Blocking this user from changing the background, deleting printers and accessing the control panel seem quite
straightforward, aswell as hiding the C:

Now, they also want me to stop them accessing any chat programs (i can disable MSN easily using the policy) how
do i stop them using any others? I guess i need a list of them first?

They also want me to stop users downloading any games and running .exe files. I have seen where you can specifically stop users from
running certain programs or certain .exe files in the GPO....is this the best way? I guess i build up a certain list of
apps that should be added to the list and then add them specifically there?



LVL 43

Expert Comment

by:Steve Knight
ID: 16967629
Pretty well that yes, from experience that can be many hundreds of EXE's listed without problem.

LVL 43

Expert Comment

by:Steve Knight
ID: 17076911
dlloyd37.  Are you still needing any help on this?

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Hello there! As a developer I have modified and refactored the unit tests which was written by fellow developers in the past. On the course, I have gone through various misconceptions and technical challenges when it comes to implementation. I would…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question