Jump to content
Compatible Support Forums
Sign in to follow this  
Dredd

Local Group Policies

Recommended Posts

I have to lock down a pc today for public use. It will have only two local accounts: Administrator and Public

 

I wanted to use local group policies to lock down the public acct., but how do I set those policies so they don't affect the Administrator? I can give temporary admin rights to public and set the policies. But upon rebooting, both accounts are locked down, not just the public.

Share this post


Link to post

are you adding the administrator to the group policy aswell?

Because If you ad the admin to the same policy if its windows 2000 (not to sure about other O/S) it will set the rights to the lower policy

Share this post


Link to post

Well how do I choose what users the policy will be applied to? I have to create the policy logged in as an administrator so once I create it, it begins to apply to the admin.

Share this post


Link to post

HOW TO: Restrict Group Membership By Using Group Policy in Windows 2000

The information in this article applies to:

Microsoft Windows 2000 Server

Microsoft Windows 2000 Advanced Server

 

This article was previously published under Q320045

IN THIS TASK

SUMMARY

 

Create a Group Policy Object

Configure Group Membership

Troubleshooting

REFERENCES

SUMMARY

This step-by-step article describes how to restrict group membership by using group policy.

 

In some cases, you may want to restrict the membership of certain groups in a Windows 2000 domain to prevent the addition of other user accounts to those groups.

 

back to the top

Create a Group Policy Object

To create a Group Policy Object (GPO) with which to restrict group membership:

Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

In the console tree, right-click your domain or the organizational unit in which you want to create the group policy, and then click Properties.

Click the Group Policy tab, and then click New.

Type the name that you want to call this policy (for example, Account restriction policy), and then press ENTER.

Click Close.

back to the top

Configure Group Membership

Start the Active Directory Users and Computers snap-in.

In the console tree, right-click your domain or the organizational unit that contains the group policy that you want, and then click Properties.

Click the Group Policy tab, select the group policy object that you want, and then click Edit.

Expand Computer Configuration, expand Windows Settings, and then expand Security Settings.

Right-click Restricted Groups, and then click Add Group.

Click Browse, click the group that you want to add, (for example, click Backup Operators), and then click Add.

When you are finished adding groups, click OK.

In the Add Group dialog box, click OK.

 

The groups to which you want to restrict access are displayed in the right pane of the Group Policy snap-in.

Double-click a group in the right pane of the Group Policy snap-in. For example, double-click Backup Operators.

To restrict the membership of this group:

Click the Add button that corresponds to the Members of this group box.

Click Browse, click the user or group account that you want to add to the group, and then click Add.

When you are finished adding users or groups, click OK.

In the Add Member dialog box, click OK.

To restrict the groups to which this group can be a member:

Click the Add button that corresponds to the This group is a member of box.

Click Browse, click the group account to which you want to add this group, and then click Add.

When you are finished adding groups, click OK.

In the Group Membership dialog box, click OK.

In the Configure Membership for Group_name dialog box, click OK.

Quit the Group Policy snap-in, and then click OK.

back to the top

Troubleshooting

When you restrict group membership by using group policy, you may notice that you can still add users to a group to which they have been denied access. Changes to restricted groups remain in effect until group policy is refreshed. When group policy is refreshed, restricted group memberships are reapplied, removing any changes that are made to the membership of the restricted group. For additional information about how to refresh group policy, click the article number below to view the article in the Microsoft Knowledge Base:

 

227302 Using SECEDIT to Force a Group Policy Refresh Immediately

 

 

The default membership of a restricted group is no members. By leaving the group with the default membership of no members, you can provide additional security to groups to which you want to prevent membership. For example, you can use this method to ensure that no user accounts are members of the Guests group.

back to the top

REFERENCES

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

 

259576 Group Policy Application Rules for Domain Controllers

 

For more information about Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper at the following Microsoft Web site:

 

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

 

Or go here http://support.microsoft.com/default.aspx?scid=KB;en-us;320045&

 

Hope It Helps

Share this post


Link to post

I figured it out another way. I am not using active directory since I am not on a domain. This is a locked down pc that will not connect to any network. Thanks for the help though

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×