Solved

Local machine group policy lockdown

Posted on 2008-10-29
8
1,849 Views
Last Modified: 2013-12-04
Hello all,

I have a number of machines that we throw out to clients to do certain operations. These machines are not on domain so i cannot edit there group policies from there.

On the machines i need to lockdown the ability for the user to right-click on the start-menu.

I have gone into gpedit.msc - User Configuration, Administrative Templates, Start Menu and Taskbar.
And enabled the option - "Remove access to the context menus for the taskbar"

This option works but is applied to the administrator account as well as all the others. I need to not have this run on the local admin account.

Also when this policy runs on the admin account it also removes a number of icons from the desktop and start menu (e.g. mycomputer, network places, etc...)

Is there any way to do this operation without effecting the admin account??
0
Comment
Question by:JFexco
8 Comments
 
LVL 58

Expert Comment

by:tigermatt
ID: 22830659

There certainly is. Its a bit messy, but does work.

When you modify the local Group Policy, the changes you make are stored in a folder structure within C:\WINDOWS\system32\GroupPolicy. The easy way to stop the policy changes you make applying to the Administrator is simply to Deny the Administrator all the rights on that folder, and all subfolders. This will prevent the policy applying.

The only downside to this setup is that when you wish to modify the Group Policy again, you need write access to that folder. That means you either use an account which has local Administrator rights but doesn't have deny rights set on that folder, or you simply remove the Deny setting, make the change, then re-apply the Deny again.

Also, if you have many machines you need to make the same changes on, it would be worth noting that the GroupPolicy folder can be copied across from one template machine to all the others, so you can make the changes in one place in gpedit.msc and then just copy the folder to apply them to all your other machines.

-tigermatt
0
 
LVL 41

Expert Comment

by:graye
ID: 22830718
You might consider using the Microsoft Shared Computer Toolkit for Windows XP (now called SteadyState)

     http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx
It's designed to lock down PCs used in a classroom or kiosk scenario... but it can be configured via a wizard to determine how much to lock down.
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
ID: 22830721
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:JFexco
ID: 22831653
Thanks for the information.

Denying the admin access to the "C:\WINDOWS\system32\GroupPolicy" folder would be a bit messy as it would need me to create another admin accout on all machines to do pretty much the same changes.

These machines are managed by a first level team and not myself so making multiple admin accounts on these machines to do different things would not be productive.



0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22831819

How about using a script to add and remove the Deny permissions as is necessary?
0
 

Author Comment

by:JFexco
ID: 22832166
Might be a solution.

How will the admin run the script if he is locked out of that folder?

The admin should have rights to change the rights on that folder even if they are denied? Would they?
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 125 total points
ID: 22832571

Yes, the Administrator could change the rights on the folder - Administrators are given that permission automatically.

The below two batch files would do the trick - one would be "security_on.bat", the other "security_off.bat".

-tigermatt
rem Security_On.bat
rem Locks the Administrator out of %systemroot%\system32\GroupPolicy
cacls %systemroot%\system32\GroupPolicy /E /D Administrator
 
rem --
rem Second batch file: Security_Off.bat
rem Allows the Administrator to edit Local Group Policy - RUN THIS before using gpedit.msc, then after editing, run Security_On.bat
cacls %systemroot%\system32\GroupPolicy /E /G Administrator:F

Open in new window

0
 

Author Closing Comment

by:JFexco
ID: 31511131
Thanks for that. Really helpful.

Looks like it will solve the issue.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question