Solved

How to apply local group policies on Windows XP without affecting the administrator

Posted on 2008-09-30
14
477 Views
Last Modified: 2008-11-01
How to apply local group policies on Windows XP without affecting the administrator
0
Comment
Question by:robballi
  • 4
  • 4
  • 4
14 Comments
 
LVL 3

Expert Comment

by:Azyre
ID: 22608992
Is this part of a domain? If so you can use OU's and group management to get this done.  Just apply the policy on the user OU and not the Administrator OU.

I don't believe you can exclude groups from the local GPO in a non-domain situation.
0
 

Author Comment

by:robballi
ID: 22609417
No they are stand alone Windows XP Professional PCs
0
 
LVL 3

Expert Comment

by:Azyre
ID: 22609477
You may need to look for a work around to whatever it is you are doing.  There is simply the Local GPO, and to my knowledge there isn't a way of creating multiple local GPO's that are user specific in a workgroup setting.  I may be wrong though and maybe a smarter person than I will jump in and inform you of such.
0
 
LVL 15

Expert Comment

by:venom96737
ID: 22610599
What kinds of things are you trying to do?  Are you trying to keep one user from doing certain things like accessing programs or turning things off?  This can be done by logging in as the user and tweaking thier registry settings which I could help you with if your just specify a little more.  
0
 
LVL 15

Accepted Solution

by:
venom96737 earned 250 total points
ID: 22610617
Oh I just read more than one PC yeah you will have to do it on all pc's but if you are going to do the same stuff the easiest way to get it done is to write a registy batch file that will go in and make the edits once you click on it so all the time will be put into just making that one then click and done for the future.  That is the real downfall of using standalones little harder to control but it can be done just let me know what you need to do.  Just make sure you dont run the file while logged in as admin and you shouldnt have a problem.
0
 

Author Comment

by:robballi
ID: 22610653
thanks venom96737:

Look, let me explain, there isn't  enough funding, so the 20 machines that i have to work with these users don't have a server. So to have a better control on users i made aproximately 150 users on each computer, because they can arrive at different schedules.
As you said i would like to for instance block the control panel through group policies, but unfortunatelly the Administrator gets restricted too.
It is very simple i would like to have a global policies for the 150 users and another policy for the administrator. It seems that with Windows Server one can do that through file permision.

Thanks a lot for your help

Yes, for instance i would like to disable the control panel to
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 15

Expert Comment

by:venom96737
ID: 22611232
you might want to look into something like this:
http://www.tweakxp.com/Article37921.aspx
download found here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=D077A52D-93E9-4B02-BD95-9D770CCDB431&displaylang=en#QuickInfoContainer

On a standalone its different on a server you have active directories and all sorts of goodies you could play with ntfs permissions if you like but can get be annoying and time consuming.
0
 

Author Comment

by:robballi
ID: 22611486
thanks venom96737:

I tried a couple of days ago the tool Windows Steady State 2.5 and it crippled terribly a machine. It became terrible slow. Besides it activated the users welcome screen and as you can imagine 150 users it was imposible to browse your correct user.
It is very sad but it seems that it is impossible to control this shared users!!!
0
 
LVL 3

Expert Comment

by:Azyre
ID: 22613612
Well if you just ensure that all of the user accounts aren't in the administrators group then though they may be able to see things like control panel, they won;t be able to do too much with it as they won;t have any rights.  I would lobby for a s SBS personally.  I know funding sucks, but it really should sell its self if you ave over 150 users running across 20+ machines.
0
 
LVL 15

Expert Comment

by:venom96737
ID: 22620876
well robb its not impossible to do as i said create the registry batch file and run it on all accounts but to control it centrally through one edit yes thats impossible.
0
 

Author Comment

by:robballi
ID: 22621452
thanks again venom96737:

Today i tried to realize what you are telling me in the last message (by a reg file double clicking inside the restricted users y also tried through group policies login scripts ). But as the users are restricted users i got errors that the registry was open.
If you could give a concrete example of how to do what you are saying through batch, would be highly appreciated!!
0
 
LVL 3

Assisted Solution

by:Azyre
Azyre earned 250 total points
ID: 22634042
Write a 2 batch files with all of the registry changes you wish to have accomplished, one that will fire for administrators, and one that will fire for Standerd Users.  

http://www.pctools.com/forum/showthread.php?t=1282 contains a decent walk through on this if you need.

Then go into the GPO editor through MMC and apply the User batch file in the GPO under Local Computer Policy > Computer Config > Windows Settings > Scripts.

You will probably have to fire off the admin changes version manually after you log in as a administrator so that you do not have a conflict with the the 2 batch files both trying to process at log-in.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now