I'm trying to use group policies, restricting
local/network users to certian policies, but not
restricting Administrators.

example:
local/network users:
remove run
remove control panel

Administrators/network administrator
run
control (are in start menu)

thanks for the help

Koz

"koz" > wrote in message =
...
> I'm trying to use group policies, restricting=20
> local/network users to certian policies, but not=20
> restricting Administrators.
>=20
> example:
> local/network users:
> remove run
> remove control panel
>=20
> Administrators/network administrator
> run
> control (are in start menu)
>=20
> thanks for the help
>=20
> Koz=20


It is crude, but you can Deny Full Control, to those accounts=20
that should not be impacted by local policy, on the directory=20
system32\GroupPolicy. For an admin to modify the settings=20
in policy they need to have the Deny effecting them removed,=20
and then replaced when finished with the edit.

In some cases the method outlined in KB 293655 is of use=20
http://support.microsoft.com/?id=3D293655=20

For some settings you can adjust things directly with=20
registry edits for effects limited to only some users.

Other than these (and third party products that use these,=20
mostly registry manipulation, for you) local policy will=20
always function as it is designed to do - uniformly apply=20
settings to all accounts.

--=20
Roger Abell
MS MVP (Security, Windows), MCDBA, MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone

Interesting, I will try this out.

Is there a way to restrict the local groups also, like
power users and such?

Thank you again,

koz


>-----Original Message-----
>"koz" > wrote in message
...
>> I'm trying to use group policies, restricting
>> local/network users to certian policies, but not
>> restricting Administrators.
>>
>> example:
>> local/network users:
>> remove run
>> remove control panel
>>
>> Administrators/network administrator
>> run
>> control (are in start menu)
>>
>> thanks for the help
>>
>> Koz
>
>
> It is crude, but you can Deny Full Control, to those
accounts
> that should not be impacted by local policy, on the
directory
> system32\GroupPolicy. For an admin to modify the
settings
> in policy they need to have the Deny effecting them
removed,
> and then replaced when finished with the edit.
>
> In some cases the method outlined in KB 293655 is of
use
> http://support.microsoft.com/?id=293655
>
> For some settings you can adjust things directly with
> registry edits for effects limited to only some users.
>
> Other than these (and third party products that use
these,
> mostly registry manipulation, for you) local policy
will
> always function as it is designed to do - uniformly
apply
> settings to all accounts.
>
> --
> Roger Abell
> MS MVP (Security, Windows), MCDBA, MCSE both
> Associate Expert - Windows XP ExpertZone
> http://www.microsoft.com/windowsxp/expertzone
>
>.
>

You could try http://www.sfxtech.com for Folder LockIt.

"koz" > wrote in message
...
> I'm trying to use group policies, restricting
> local/network users to certian policies, but not
> restricting Administrators.
>
> example:
> local/network users:
> remove run
> remove control panel
>
> Administrators/network administrator
> run
> control (are in start menu)
>
> thanks for the help
>
> Koz

What do you mean by restrict the local groups ?
Change what they allow, or change what accounts=20
are within their memberships, or . . . ?

--=20
Roger=20

"koz" > wrote in message =
...
> Interesting, I will try this out.
>=20
> Is there a way to restrict the local groups also, like=20
> power users and such?
>=20
> Thank you again,
>=20
> koz
>=20
>=20
> >-----Original Message-----
> >"koz" > wrote in message=20
> ...
> >> I'm trying to use group policies, restricting=20
> >> local/network users to certian policies, but not=20
> >> restricting Administrators.
> >>=20
> >> example:
> >> local/network users:
> >> remove run
> >> remove control panel
> >>=20
> >> Administrators/network administrator
> >> run
> >> control (are in start menu)
> >>=20
> >> thanks for the help
> >>=20
> >> Koz=20
> >
> >
> > It is crude, but you can Deny Full Control, to those=20
> accounts=20
> > that should not be impacted by local policy, on the=20
> directory=20
> > system32\GroupPolicy. For an admin to modify the=20
> settings=20
> > in policy they need to have the Deny effecting them=20
> removed,=20
> > and then replaced when finished with the edit.
> >
> > In some cases the method outlined in KB 293655 is of=20
> use=20
> > http://support.microsoft.com/?id=3D293655=20
> >
> > For some settings you can adjust things directly with=20
> > registry edits for effects limited to only some users.
> >
> > Other than these (and third party products that use=20
> these,=20
> > mostly registry manipulation, for you) local policy=20
> will=20
> > always function as it is designed to do - uniformly=20
> apply=20
> > settings to all accounts.
> >
> > --=20
> > Roger Abell
> > MS MVP (Security, Windows), MCDBA, MCSE both
> > Associate Expert - Windows XP ExpertZone
> > http://www.microsoft.com/windowsxp/expertzone
> >
> >.
> >

yes.

a domain user logs onto a machine and he is a part of the
power user group, and has no rights to run and control
panel.

but a domain admin logs in and he has full rights to
everything...

thanks again,


koz

>-----Original Message-----
>What do you mean by restrict the local groups ?
>Change what they allow, or change what accounts
>are within their memberships, or . . . ?
>
>--
>Roger
>
>"koz" > wrote in message
...
>> Interesting, I will try this out.
>>
>> Is there a way to restrict the local groups also, like
>> power users and such?
>>
>> Thank you again,
>>
>> koz
>>
>>
>> >-----Original Message-----
>> >"koz" > wrote in message
>> ...
>> >> I'm trying to use group policies, restricting
>> >> local/network users to certian policies, but not
>> >> restricting Administrators.
>> >>
>> >> example:
>> >> local/network users:
>> >> remove run
>> >> remove control panel
>> >>
>> >> Administrators/network administrator
>> >> run
>> >> control (are in start menu)
>> >>
>> >> thanks for the help
>> >>
>> >> Koz
>> >
>> >
>> > It is crude, but you can Deny Full Control, to
those
>> accounts
>> > that should not be impacted by local policy, on the
>> directory
>> > system32\GroupPolicy. For an admin to modify the
>> settings
>> > in policy they need to have the Deny effecting them
>> removed,
>> > and then replaced when finished with the edit.
>> >
>> > In some cases the method outlined in KB 293655 is
of
>> use
>> > http://support.microsoft.com/?id=293655
>> >
>> > For some settings you can adjust things directly
with
>> > registry edits for effects limited to only some
users.
>> >
>> > Other than these (and third party products that use
>> these,
>> > mostly registry manipulation, for you) local policy
>> will
>> > always function as it is designed to do - uniformly
>> apply
>> > settings to all accounts.
>> >
>> > --
>> > Roger Abell
>> > MS MVP (Security, Windows), MCDBA, MCSE both
>> > Associate Expert - Windows XP ExpertZone
>> > http://www.microsoft.com/windowsxp/expertzone
>> >
>> >.
>> >
>.
>