Hi,

Does any know how to denied the access locally to run MMC
except for the Admin user?

When I denied author access in MMC Gpedit the
Administrator cannot access the MMC!! I want to denied MMC
for the normal user on WinXP machine except the
Administrator.

Marco Badoux

=20
Local Security Policy not applied to all accounts equally

It is crude, but you can Deny Full Control, to those accounts=20
that should not be impacted by local policy, on the directory=20
system32\GroupPolicy. For an admin to modify the settings=20
in policy they need to have the Deny effecting them removed,=20
and then replaced when finished with the edit.

In some cases the method outlined in KB 293655 is of use=20
http://support.microsoft.com/?id=3D293655=20


--=20
Roger Abell
MS MVP (Security, Windows), MCDBA, MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone

"Marco Badoux" > wrote in message =
...
> Hi,
>=20
> Does any know how to denied the access locally to run MMC=20
> except for the Admin user?=20
>=20
> When I denied author access in MMC Gpedit the=20
> Administrator cannot access the MMC!! I want to denied MMC=20
> for the normal user on WinXP machine except the=20
> Administrator.=20
>=20
> Marco Badoux

sure - set an ACL on mmc.exe

--

Cheers, Michael
Writing Secure Code 2nd Edition
(http://www.microsoft.com/MSPress/books/5957.asp)

This posting is provided "AS IS" with no warranties, and confers no rights.
"Marco Badoux" > wrote in message
...
> Hi,
>
> Does any know how to denied the access locally to run MMC
> except for the Admin user?
>
> When I denied author access in MMC Gpedit the
> Administrator cannot access the MMC!! I want to denied MMC
> for the normal user on WinXP machine except the
> Administrator.
>
> Marco Badoux