Jaime Campos
asked on
How do you setup a GPO to remove control panel and not apply it to admin account?
Hello,
I'm trying to setup a Global GPO to remove control panel from everyones system, but I do not want to affect my IT department Group or administrator accounts. How can I accomplish this through my GPO editor?
Thanks,
nimdatx
I'm trying to setup a Global GPO to remove control panel from everyones system, but I do not want to affect my IT department Group or administrator accounts. How can I accomplish this through my GPO editor?
Thanks,
nimdatx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Setup the gpo in the container that contains the user accounts you want it appliad to. Make sure the admin account is not listed in the container. For my purposes all the admin accounts are in a container where ther are no GPO's applied.
Create a new group policy object. Under the User Configuration settings, Administrative Templates, Control panel...restrict access to the control panel. THEN under delegation you can set permission to which groups inherit the policy. You can exclude your IT Department from inheriting it.
Download GPMC (group policy management console) and install it to your DC.
Open run,type gpmc.msc.
In GPMC, Expand your forest name,domains,your domain name and right click your domain name select 'Create and Link a GPO here' tab for create your Global GPO.
When finish creating policy, select this policy > select delegation > advanced > select add and add your IT dept group and admin account here and clear 'Apply Group Policy' check box. > OK
I hope this will work, good luck.
Open run,type gpmc.msc.
In GPMC, Expand your forest name,domains,your domain name and right click your domain name select 'Create and Link a GPO here' tab for create your Global GPO.
When finish creating policy, select this policy > select delegation > advanced > select add and add your IT dept group and admin account here and clear 'Apply Group Policy' check box. > OK
I hope this will work, good luck.
ASKER
Ok, now how do I test if this policy is affective? Some users can still see control panel even when I applied on the root.
It may take a few minutes to propogate among your domain controllers, but after 15 minutes or so the policy should be in effect. Then just have them log off and log back in again.
ASKER
Is their a cmd I can run that will tell me which GPOs are active?
GPResult /R
RSOP is the graphical version of that.
open run type gpupdate /force
good luck.
good luck.
ASKER
I ran cmd and this is what I got:
-------------------------- ---------- ------
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\nimda>gpresult /r
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/11/2011 at 12:23:01 PM
RSOP data for RAPA\nimda on FILESERVER2 : Logging Mode
-------------------------- ---------- ---------- ---------
OS Configuration: Primary Domain Controller
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\nimda
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=FILESERVER2,OU=Domain Controllers,DC=RAPA,DC=loc al
Last time Group Policy was applied: 8/11/2011 at 12:21:21 PM
Group Policy was applied from: Fileserver2.RAPA.local
Group Policy slow link threshold: 500 kbps
Domain Name: RAPA
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Default Domain Controllers Policy
Cannot change time
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Logon Script Map Drives
Filtering: Not Applied (Empty)
Internet History
Filtering: Denied (Security)
Home Page
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
My Documents Redirect
Filtering: Not Applied (Empty)
Internet Options
Filtering: Denied (Security)
Default Domain Policy
Filtering: Disabled (Link)
Remove Control Panel
Filtering: Denied (Security)
The computer is a part of the following security groups
-------------------------- ---------- ---------- ---------
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
FILESERVER2$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
System Mandatory Level
USER SETTINGS
--------------
CN=nimda,OU=IT Department,OU=Business Office,DC=RAPA,DC=local
Last time Group Policy was applied: 8/11/2011 at 12:21:21 PM
Group Policy was applied from: Fileserver2.RAPA.local
Group Policy slow link threshold: 500 kbps
Domain Name: RAPA
Domain Type: Windows 2000
Applied Group Policy Objects
-------------------------- ---
Home Page
Logon Script Map Drives
My Documents Redirect
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
Internet History
Filtering: Denied (Security)
Local Group Policy
Filtering: Not Applied (Empty)
Internet Options
Filtering: Denied (Security)
MAS90
Filtering: Not Applied (Empty)
Remove Control Panel
Filtering: Denied (Security)
Cannot change time
Filtering: Not Applied (Empty)
The user is a part of the following security groups
-------------------------- ---------- ---------- -----
Domain Users
Everyone
Terminal Server License Servers
Remote Desktop Users
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Accounting
Domain Admins
Administrator
Group Policy Creator Owners
Admin Staff
Exchange View-Only Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators1
Exchange Organization Administrators
Exchange Public Folder Administrators1
Exchange Recipient Administrators1
Exchange Servers
Exchange Public Folder Administrators
Exchange Organization Administrators1
Exchange Trusted Subsystem
Enterprise Admins
Exchange Servers1
Schema Admins
Terminal Server Computers
High Mandatory Level
--------------------------
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\nimda>gpresult /r
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 8/11/2011 at 12:23:01 PM
RSOP data for RAPA\nimda on FILESERVER2 : Logging Mode
--------------------------
OS Configuration: Primary Domain Controller
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\nimda
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=FILESERVER2,OU=Domain Controllers,DC=RAPA,DC=loc
Last time Group Policy was applied: 8/11/2011 at 12:21:21 PM
Group Policy was applied from: Fileserver2.RAPA.local
Group Policy slow link threshold: 500 kbps
Domain Name: RAPA
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Default Domain Controllers Policy
Cannot change time
The following GPOs were not applied because they were filtered out
--------------------------
Logon Script Map Drives
Filtering: Not Applied (Empty)
Internet History
Filtering: Denied (Security)
Home Page
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
My Documents Redirect
Filtering: Not Applied (Empty)
Internet Options
Filtering: Denied (Security)
Default Domain Policy
Filtering: Disabled (Link)
Remove Control Panel
Filtering: Denied (Security)
The computer is a part of the following security groups
--------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
FILESERVER2$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
System Mandatory Level
USER SETTINGS
--------------
CN=nimda,OU=IT Department,OU=Business Office,DC=RAPA,DC=local
Last time Group Policy was applied: 8/11/2011 at 12:21:21 PM
Group Policy was applied from: Fileserver2.RAPA.local
Group Policy slow link threshold: 500 kbps
Domain Name: RAPA
Domain Type: Windows 2000
Applied Group Policy Objects
--------------------------
Home Page
Logon Script Map Drives
My Documents Redirect
The following GPOs were not applied because they were filtered out
--------------------------
Internet History
Filtering: Denied (Security)
Local Group Policy
Filtering: Not Applied (Empty)
Internet Options
Filtering: Denied (Security)
MAS90
Filtering: Not Applied (Empty)
Remove Control Panel
Filtering: Denied (Security)
Cannot change time
Filtering: Not Applied (Empty)
The user is a part of the following security groups
--------------------------
Domain Users
Everyone
Terminal Server License Servers
Remote Desktop Users
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Accounting
Domain Admins
Administrator
Group Policy Creator Owners
Admin Staff
Exchange View-Only Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators1
Exchange Organization Administrators
Exchange Public Folder Administrators1
Exchange Recipient Administrators1
Exchange Servers
Exchange Public Folder Administrators
Exchange Organization Administrators1
Exchange Trusted Subsystem
Enterprise Admins
Exchange Servers1
Schema Admins
Terminal Server Computers
High Mandatory Level
The following GPOs were not applied because they were filtered out
-------------------------- ---------- ---------- ---------- ---------- -
...
Remove Control Panel
Filtering: Denied (Security)
So either something's not set right or you're running the command as a person/machine to which the policy doesn't apply.
--------------------------
...
Remove Control Panel
Filtering: Denied (Security)
So either something's not set right or you're running the command as a person/machine to which the policy doesn't apply.
ASKER
I'm running it on my admin account on DC server.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok. I did authenticated users, but I'm trying to exclude administrator. How do i exclude my IT department? I went to Delegation and not sure what it means.
Thanks,
nimdatx
Thanks,
nimdatx
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.