Why is gpedit wide open to XP power users?

Some of our Windows XP workstations have security set so local Power User accounts can run gpedit.msc. All the information I can find says that gpedit is only available to Administrator accounts. Can't find any differences in local group policy settings. In fact I have copied the GroupPolicy folders from another workstation that correctly denies access to Power Users but it didn't make any difference. Is there a registry setting that controls this?
Who is Participating?
gheistConnect With a Mentor Commented:
Simply the system is designed this way.
For example in NT4 and initial w2000 normal users were allowed to use date/time commands to change system time at will.
And even without access to gpedit every user will be able to launch mmc.exe and add gpedit modules. There is no effect of GPOs to MMC.exe
They can delete most of files in %WINDIR% anyway, why should you care about GPOs
bbaoIT ConsultantCommented:
> They can delete most of files in %WINDIR% anyway, why should you care about GPOs

LOL, good point. hence the group name, Power Users are powerful, by design.
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

ru-rdAuthor Commented:
We have 15 Windows XP workstations that are all setup the same and joined as members of a Windows 2003 Domain. Users also have memberships in this domain but log onto their workstations with local user accounts. They can access the network resources based on their domain group membership. Most, but not all of these workstations were originally set up with W2K pro and later upgraded to XP pro. Local user accounts were given Power User membership so that some legacy apps would continue to run that wouldn't otherwise.
Recently I have been working on setting up logon/logoff scripts and as I was testing these discovered that on 5 of the 15 XP workstations Power users can run Gpedit.msc and on the other 10 they can not. Local User and Power User accounts get the message "You do not have permission to perform this operation." The same message appears if they run MMC and try to add Group Policy Object Editor as a snap-in on the local computer. Upon further testing I have found that ordinary User accounts can open gpedit.msc on these 5 workstations also.
My concern is that some security settings must have changed to elevate the User & Power User permissions and I don't know what other security restrictions or access rights may have changed.
What could cause this besides group policy? Has anyone else seen these kinds of problems? Is there a way to reset the default access rights for Users and Power Users on Windows XP Pro?
Local users can override ANY gpo setting by using .reg files.
If you join computer to domain it gets only computer settings which minimally interfere with local power users.
__STConnect With a Mentor Commented:
A clever user with Power User rights can do just about anything they want with a local PC, so I'm not sure how much time you would want to spend on this.  Even if you explicitly block running things like MMC a power user can use net user / net localgroup to create a local administrator account that they could use to elevate their permissions and bypass any security you lay down.  Trying to lock them down too much on a workstation risks breaking your legacy apps, so you're pretty much stuck with letting them have free reign of the endpoint.

If it's of vital concern, you could script a permissions/ownership change on the specific snap-in files using something like subinacl/xcacls, but keep in mind that it would not hinder someone persistent with a bit of technical knowledge.

Focus more on domain security and locking down the shares and you should be fine.  Ditch the legacy apps whenever possible and eventually you will have more control.
ru-rdAuthor Commented:
I've requested that this question be deleted for the following reason:

Comments like, &quot;this is normal&quot;, or &quot;why should you care?&quot;, are not solutions. And I don't have &quot;clever users&quot; that are intentionally trying to circumvent basic security settings. <br />Since our workstations are scheduled to be upgraded to Windows 7 soon their is no point in trying to pursue this issue. Thank you all &nbsp;for taking the time to post a reply. I am sorry that I cannot issue any points.
This is documenting the part missing in microsofts site.
You cannot disable mmc.exe or regedit.exe opening .reg files from command line.

explains the sorry state of things.
https://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb is the place where power users can find which registry setting to change to undo group policy.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.