You want to begin using some of the power of Active Directory’s Group Policy
Objects (GPO) but for many reasons, it is not available. You have been
experimenting with securing your Windows 2000 boxes using the Local Computer Policy. Its a lot easier and safer to than
registry hacks but you quickly learn that any policies set apply to everyone,
including the administrator. Almost never what you want. If the %systemdrive% is
NTFS, you can use NTFS file and directory permissions to get around this.
Windows 2000 and Windows XP ‘s Local Computer Policy
User policies depend on read access to the %systemroot%\system32\GroupPolicy folder. The trick: deny read
access to any group you do not want the local policies to apply. This technology
is limited in that you can only have two types of policies per system. This
doubles the default. You have to go to Active Directory GPO’s to implement a
fully feature security model.
- Set your policies via Local Computer Policy.
If
you haven’t used the mmc
- Click Start | Run, type mmc and press enter
Console1 window pops up
- Click Console
- Select Add/Remove Snap-in…
- Click Add button
- Scroll to Group Policy within the Add Standalone Snap-in dialog
- Highlight Group Policy snap-in and click Add button.
- Click Finish when prompted to finish with Local Computer as the Group Policy
Object.
- Click Close
- Click OK
Console1 window is back
- Change console mode from author to user mode
- Click Console
- Click Options
- Select User mode – limited access – single window
from the Console change mode dropdown
- Click OK (take defaults)
- Click Console
- Click Console
- Click Save As…
- Enter name of choice for the console (my policy, wayne’s local policy,
user policy, whatever
- Click Save
- Exit Console1
- Edit the local policies as you need
your user console is part of your
Admin Tools
- Click Start
- Select Programs
- Select Administrative Tools
- Select Wayne’s Local Policy
or whatever you called the mmc console
- Click Start
- Click Start | Run, type mmc and press enter
- Set NTFS permissions to explicitly deny read to folder %systemroot%\system32\GroupPolicy for the group you do not
want tha policies to apply to.
The %systemroot%\system32\GroupPolicy folder is
hidden. You will have to change your folder options to display hidden files.
- If admin is excluded from the policies, logoff and back on.
technique can be very useful in kiosk or shared PC environments. This tips is
Windows 2000 and Windows XP compatible.
David sent me the following valuable addition:
However I ran into a problem… I made the
%SystemRoot%\system32\GroupPolicy\ accessable by Administrator so I could run
gpedit.msc and edit the policy file and then would make the directory
un-accessable by administrator once I was done. However, some policies take
place as soon as you enable them, and I ended up locking myself out of the
policy editor 🙂
If you go in Computer Configuration\Administrative Templates\System\Group
Policy and end enable “Turn off background refresh of Group Policy”, then
reboot, it makes using local policies a little easier. It won’t enable policies
until the user logs back in, so you don’t screw the Administrator account while
logged on as it mucking around with the policies.
