Dredd 0 Posted November 25, 2002 I have to lock down a pc today for public use. It will have only two local accounts: Administrator and Public I wanted to use local group policies to lock down the public acct., but how do I set those policies so they don't affect the Administrator? I can give temporary admin rights to public and set the policies. But upon rebooting, both accounts are locked down, not just the public. Share this post Link to post
pkirtley 0 Posted November 25, 2002 are you adding the administrator to the group policy aswell? Because If you ad the admin to the same policy if its windows 2000 (not to sure about other O/S) it will set the rights to the lower policy Share this post Link to post
Dredd 0 Posted November 25, 2002 Well how do I choose what users the policy will be applied to? I have to create the policy logged in as an administrator so once I create it, it begins to apply to the admin. Share this post Link to post
pkirtley 0 Posted November 25, 2002 HOW TO: Restrict Group Membership By Using Group Policy in Windows 2000 The information in this article applies to: Microsoft Windows 2000 Server Microsoft Windows 2000 Advanced Server This article was previously published under Q320045 IN THIS TASK SUMMARY Create a Group Policy Object Configure Group Membership Troubleshooting REFERENCES SUMMARY This step-by-step article describes how to restrict group membership by using group policy. In some cases, you may want to restrict the membership of certain groups in a Windows 2000 domain to prevent the addition of other user accounts to those groups. back to the top Create a Group Policy Object To create a Group Policy Object (GPO) with which to restrict group membership: Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. In the console tree, right-click your domain or the organizational unit in which you want to create the group policy, and then click Properties. Click the Group Policy tab, and then click New. Type the name that you want to call this policy (for example, Account restriction policy), and then press ENTER. Click Close. back to the top Configure Group Membership Start the Active Directory Users and Computers snap-in. In the console tree, right-click your domain or the organizational unit that contains the group policy that you want, and then click Properties. Click the Group Policy tab, select the group policy object that you want, and then click Edit. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Right-click Restricted Groups, and then click Add Group. Click Browse, click the group that you want to add, (for example, click Backup Operators), and then click Add. When you are finished adding groups, click OK. In the Add Group dialog box, click OK. The groups to which you want to restrict access are displayed in the right pane of the Group Policy snap-in. Double-click a group in the right pane of the Group Policy snap-in. For example, double-click Backup Operators. To restrict the membership of this group: Click the Add button that corresponds to the Members of this group box. Click Browse, click the user or group account that you want to add to the group, and then click Add. When you are finished adding users or groups, click OK. In the Add Member dialog box, click OK. To restrict the groups to which this group can be a member: Click the Add button that corresponds to the This group is a member of box. Click Browse, click the group account to which you want to add this group, and then click Add. When you are finished adding groups, click OK. In the Group Membership dialog box, click OK. In the Configure Membership for Group_name dialog box, click OK. Quit the Group Policy snap-in, and then click OK. back to the top Troubleshooting When you restrict group membership by using group policy, you may notice that you can still add users to a group to which they have been denied access. Changes to restricted groups remain in effect until group policy is refreshed. When group policy is refreshed, restricted group memberships are reapplied, removing any changes that are made to the membership of the restricted group. For additional information about how to refresh group policy, click the article number below to view the article in the Microsoft Knowledge Base: 227302 Using SECEDIT to Force a Group Policy Refresh Immediately The default membership of a restricted group is no members. By leaving the group with the default membership of no members, you can provide additional security to groups to which you want to prevent membership. For example, you can use this method to ensure that no user accounts are members of the Guests group. back to the top REFERENCES For additional information, click the article number below to view the article in the Microsoft Knowledge Base: 259576 Group Policy Application Rules for Domain Controllers For more information about Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper at the following Microsoft Web site: http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp Or go here http://support.microsoft.com/default.aspx?scid=KB;en-us;320045& Hope It Helps Share this post Link to post
Dredd 0 Posted November 25, 2002 I figured it out another way. I am not using active directory since I am not on a domain. This is a locked down pc that will not connect to any network. Thanks for the help though Share this post Link to post