group policy question

Posted on 2006-06-22
Last Modified: 2010-04-13
Hi all,
Not had much experience using group policy and have been asked to do this
on a W2K network.

create a new user with admin rights
restrict this new user from accessing anyother users files
from changing the desktop background
from running any exe file
from deleting printers
from accessing the control panel
hide the C: drive

change firewall settings so users can't download any chat programs
user should also not be able to download games from internet


I editied the default domain policy and can achieve most of what's above, however i notice
it also applies to the domain controller. How can i do this without restricting the domain controller itself, just
the workstations?

The bit about create a new user with admin rights is a bit confusing too! Can i apply group policy settings on a per user basis like this?

Question by:dlloyd37
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
LVL 48

Assisted Solution

Jay_Jay70 earned 250 total points
ID: 16958178
no no no no no! lesson one in GPO... do not touch the default domain policy ever!!!! create a new polivy located on the OU within which the user account resides! right click on the OU - properties - Group Policy - Create New!

there you can put your settings!!

use NTFS permissions to stop him accessing desired folders

to give him admin priviliges - right click my computer on the desired machine - manage - local users and groups - groups - administrators - properties - members - add
LVL 43

Accepted Solution

Steve Knight earned 250 total points
ID: 16958227
If they are an admin then one way or another they can override this by running .REG scripts, amending policy locally etc.  If you restrict all EXE's that is going to cause untold issues, the user could also just rename a file from EXE to COM or possible even CMD or SCR et.c and run it too.  You can specify a list of EXEs or other programs they can't run though, this doesn't stop them renaming a file though.

You need to set NTFS permissions on wherever these files are to stop them accessing them, if they are non the same machine you can't if they are an admin as they can take ownership and give themselves rights.

Desktop background, control panel etc. is easy to change in policy but again can be overrideen by an admin

I think you need to make them a normal non-admin for starters.

GPO is based on objects in OU's but you can either put the user in their own OU or create a GPO on an OU with multiple users then change in the security of the GPO which users / groups it applies to (the apply entry in the security).

Don't change the default domain policy as it effects everything by default.  Create a seperate OU for any PC's / Users you want to effect.

Be careful when creating fairly drastic policies like this, especically at the domain level.

LVL 43

Expert Comment

by:Steve Knight
ID: 16958234
(crossed in the post)
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

LVL 16

Expert Comment

ID: 16959125
My only question is if you want to have these settings then why set them as an admin?  

Along with what the other two post suggested, you very rarely touch the default domain policy unless you want a domain wide policy in effect such as password requirements, thresholds, etc.....

You can also set a software restriction policy in a new GPO that is linked to a OU also.  Just move the computer that is going to be applied the policy into that OU and you can set the policy to allow only programs you specify.  You can specifiy programs based on the hash of the .exe or the path.  I usually go the hash method so even if they are clever and rename ore move the exe and folder it still will not run.

As for downloading stuff, your best bet would be to implement a proxy server and create groups with different levels of access, content filtering, downloading and such.

PS:  You can also have it apply to administrators in the software restriction policy as well if you wish.  You will have to do some testing though to make sure all of your required programs run correctly if you go this method,but it is well worth the look into though for that aspect of your question.

For the other questions, i'm right with the other two experts here on what they suggested.


Author Comment

ID: 16961731
Thanks all for your help so far on this.....

As i said, i'm not great with GPO's but am becoming more familiar with it.

When i saw the spec saying create a new user with admin rights my immediate thought
was why! Isn't this going to just make the task even harder! To be honest i have to this
task tommorow live on a production system in a college as part of a test. I will ask why
they want the user to have admin rights.....maybe they need local access to their client
workstations in order to run a specific application?

Now, i have been testing it on my test network at home, except this is W2K3.  As far
as i know, no seperate OU's are present in AD.....just the standard ones created at installation.

I can create GPO's only at the domain level and on the domain controller container in AD. I can't create a new GPO
on the computers container or the users container? I have created a new OU on my test network and i can create a
new policy on that. I have also moved the client computers on my test network into this container and will apply the policy
settings here on that OU. Is it ok just to move Client computers from the default computer container to a seperate OU?
As i said i have tested it on my test network without issue, but not sure what will happen on a bigger windows 2000 system?

Can the same apply if i move certain users to a newly created OU and apply a GPO to that OU to restrict users?

Thnx again

LVL 43

Expert Comment

by:Steve Knight
ID: 16963044
The users and computers containers are default ones that you can't apply policies to as you found you must create OU's.  I generall create site or country top leve OU's and then functions such as Computers, Groups, Department names etc. as needed but it depends upon the specific requiements .

Moving computers and users to different OU's is the whole point of AD -- you can structure then to make it easier to administer and to give out different policies etc so yes you are correct in that.

LVL 48

Expert Comment

ID: 16964709
if you saw the OU structures running in the half the sites i have seen you would fall over yourself :) very very very common practice to segment your AD and apply security
LVL 43

Expert Comment

by:Steve Knight
ID: 16964774
Always amusing when you go to a relatively massive site with all the computers in computers, users in "built in" or "users" container and all the policies in default domain.... normally been put in by an untrained "consultant" of course :-( but then it provides work to go in and pick up the pieces so I don't complain :-)

LVL 48

Expert Comment

ID: 16964795
lol $$$$ makes it all good, bring it on


Author Comment

ID: 16967617
Ok, again thnx for your comments i think i know how i'm gonna approach this now.

Create the user and stick him/her in a new OU and then create a new GPO on that OU.

I use the no overide option?

Blocking this user from changing the background, deleting printers and accessing the control panel seem quite
straightforward, aswell as hiding the C:

Now, they also want me to stop them accessing any chat programs (i can disable MSN easily using the policy) how
do i stop them using any others? I guess i need a list of them first?

They also want me to stop users downloading any games and running .exe files. I have seen where you can specifically stop users from
running certain programs or certain .exe files in the this the best way? I guess i build up a certain list of
apps that should be added to the list and then add them specifically there?



LVL 43

Expert Comment

by:Steve Knight
ID: 16967629
Pretty well that yes, from experience that can be many hundreds of EXE's listed without problem.

LVL 43

Expert Comment

by:Steve Knight
ID: 17076911
dlloyd37.  Are you still needing any help on this?

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Print Server: How to Create it? 1 774
Print Server: NT to 2008 10 593
Windows 8 in a W2K Domain 7 591
Cannot raise Forest Functional Level - Administrative Limit Exceeded 8 1,910
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question