General discussion

Locked

Create Security Group to except Admin ?

By tomhass ·
I need to apply a group policy but I cannot except Administrator (or Domain Admins) from getting the same lockdown.

This is driving me crazy...please help !

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Create Security Group to except Admin ?

by Mike Jones In reply to Create Security Group to ...

You need to change the permissions on the c:\winnt\system32\GroupPolicy folder and deny read access to the administrator account or administrators group.

Ideally, you should do this before creating the Group Policy.

You should create a new local account with Admin Privelages which you should use while creating the Group Policy. Then if you lock yourself out, you can log on as administrator and recover the system.

The GroupPolicy refreshes itself in the background while you are applying the polices, so its quite easy to lock yourself out if not carefull.

The way I setup a machine while I'm testing a new policy, is by creating a GroupPolicy group and giving that group Deny access on the GroupPolicy folder.

I then have two batch files on the desktop of the administrator which automatically adds or removes the administrator account to or from the GroupPolicy group.

NET LOCALGROUP "Group Policy" administrator /delete

or /add

This way even if you lock down the PC, you can add the administrator account into the GroupPolicy group and then logging off and back on will remove the policy allowing you to recover the PC.

Collapse -

Create Security Group to except Admin ?

by tomhass In reply to Create Security Group to ...

Mike

I am probably going to accept this answer as it is informative. However, I appear to have found a simpler way:-
1. Remove authenticated users from Group Policy users
2. Add intended group with "Apply Group Policy" ticked
3. Make sure Doman Admins does NOT have "Apply Group Policy" ticked

Appeared to work - if you would confirm that I have not misread the situation the points are yours.

Thanks

T

Collapse -

Create Security Group to except Admin ?

by leon_guerrero In reply to Create Security Group to ...

If your using W2K w/ Active Directory one thing you can do is make a new OU and under properties select the group policy tab and check the 'block policy inheritance' check box. Then move any user or group into that OU and they should be excluded from the group policy.

Collapse -

Create Security Group to except Admin ?

by tomhass In reply to Create Security Group to ...

Good info but not quite what I was after...why do this rather than my scheme in the first comment box ?

Collapse -

Create Security Group to except Admin ?

by Mike Jones In reply to Create Security Group to ...

Same principle, the solution I supplied is for when you apply the Group Policy against the PC.

We use Novell on our site and therefore cannot use the Domain Group Policy features.

You applied the permissions at the domain level which thinking about it is simpler because you don't have to visit each PC to change permissions.

Collapse -

Create Security Group to except Admin ?

by tomhass In reply to Create Security Group to ...
Collapse -

Create Security Group to except Admin ?

by leon_guerrero In reply to Create Security Group to ...

To answer your question: I do it this way because we always get: The accounting department want to change their background today because the Feung Shei energy is out of whack (I'm serious!). George wants to change his screensaver. Linda really needsto download a file from the Internet. They are allowed to do this only if they get approval from management, but until then I have to lock those settings down. So its easier for me to just move them to the group policy exempt OU let them make their changes and move them back out again to lock them down. Also I'm so busy I may forget who I exempted from group policy. But having that OU I just look in it and I know who exactly is being exempt from group policy. Works for me, but may not be the best thing for everyone.
-------------------------------------------------
If your using W2K w/ Active Directory one thing you can do is make a new OU and under properties select the group policy tab and check the 'block policy inheritance' check box. Then move any user or group into that OU and they should be excluded from the group policy.

Comment from tomhass on 2/7/03:
Good info but not quite what I was after...why do this rather than my scheme in the first comment box ?

Collapse -

Create Security Group to except Admin ?

by tomhass In reply to Create Security Group to ...
Collapse -

Create Security Group to except Admin ?

by tomhass In reply to Create Security Group to ...

This question was closed by the author

Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums