JFexco
asked on
Local machine group policy lockdown
Hello all,
I have a number of machines that we throw out to clients to do certain operations. These machines are not on domain so i cannot edit there group policies from there.
On the machines i need to lockdown the ability for the user to right-click on the start-menu.
I have gone into gpedit.msc - User Configuration, Administrative Templates, Start Menu and Taskbar.
And enabled the option - "Remove access to the context menus for the taskbar"
This option works but is applied to the administrator account as well as all the others. I need to not have this run on the local admin account.
Also when this policy runs on the admin account it also removes a number of icons from the desktop and start menu (e.g. mycomputer, network places, etc...)
Is there any way to do this operation without effecting the admin account??
I have a number of machines that we throw out to clients to do certain operations. These machines are not on domain so i cannot edit there group policies from there.
On the machines i need to lockdown the ability for the user to right-click on the start-menu.
I have gone into gpedit.msc - User Configuration, Administrative Templates, Start Menu and Taskbar.
And enabled the option - "Remove access to the context menus for the taskbar"
This option works but is applied to the administrator account as well as all the others. I need to not have this run on the local admin account.
Also when this policy runs on the admin account it also removes a number of icons from the desktop and start menu (e.g. mycomputer, network places, etc...)
Is there any way to do this operation without effecting the admin account??
You might consider using the Microsoft Shared Computer Toolkit for Windows XP (now called SteadyState)
http://www.microsoft.com/w indows/pro ducts/winf amily/shar edaccess/d efault.msp x
It's designed to lock down PCs used in a classroom or kiosk scenario... but it can be configured via a wizard to determine how much to lock down.
http://www.microsoft.com/w
It's designed to lock down PCs used in a classroom or kiosk scenario... but it can be configured via a wizard to determine how much to lock down.
ASKER
Thanks for the information.
Denying the admin access to the "C:\WINDOWS\system32\Group Policy" folder would be a bit messy as it would need me to create another admin accout on all machines to do pretty much the same changes.
These machines are managed by a first level team and not myself so making multiple admin accounts on these machines to do different things would not be productive.
Denying the admin access to the "C:\WINDOWS\system32\Group
These machines are managed by a first level team and not myself so making multiple admin accounts on these machines to do different things would not be productive.
How about using a script to add and remove the Deny permissions as is necessary?
ASKER
Might be a solution.
How will the admin run the script if he is locked out of that folder?
The admin should have rights to change the rights on that folder even if they are denied? Would they?
How will the admin run the script if he is locked out of that folder?
The admin should have rights to change the rights on that folder even if they are denied? Would they?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that. Really helpful.
Looks like it will solve the issue.
Looks like it will solve the issue.
There certainly is. Its a bit messy, but does work.
When you modify the local Group Policy, the changes you make are stored in a folder structure within C:\WINDOWS\system32\GroupP
The only downside to this setup is that when you wish to modify the Group Policy again, you need write access to that folder. That means you either use an account which has local Administrator rights but doesn't have deny rights set on that folder, or you simply remove the Deny setting, make the change, then re-apply the Deny again.
Also, if you have many machines you need to make the same changes on, it would be worth noting that the GroupPolicy folder can be copied across from one template machine to all the others, so you can make the changes in one place in gpedit.msc and then just copy the folder to apply them to all your other machines.
-tigermatt