Lockdown by group using Local Computer Policy without Active Directory


You want to begin using some of the power of Active Directory’s Group Policy
Objects (GPO) but for many reasons, it is not available. You have been
experimenting with securing your Windows 2000 boxes using the Local Computer Policy. Its a lot easier and safer to than
registry hacks but you quickly learn that any policies set apply to everyone,
including the administrator. Almost never what you want. If the %systemdrive% is
NTFS, you can use NTFS file and directory permissions to get around this.
Windows 2000 and Windows XP ‘s Local Computer Policy
User policies depend on read access to the %systemroot%\system32\GroupPolicy folder. The trick: deny read
access to any group you do not want the local policies to apply. This technology
is limited in that you can only have two types of policies per system. This
doubles the default. You have to go to Active Directory GPO’s to implement a
fully feature security model.



  • Set your policies via Local Computer Policy.
    If
    you haven’t used the mmc

    • Click Start | Run, type mmc and press enter
      Console1 window pops up
    • Click Console
    • Select Add/Remove Snap-in…
    • Click Add button
    • Scroll to Group Policy within the Add Standalone Snap-in dialog
    • Highlight Group Policy snap-in and click Add button.
    • Click Finish when prompted to finish with Local Computer as the Group Policy
      Object.
    • Click Close
    • Click OK
      Console1 window is back
    • Change console mode from author to user mode

      • Click Console
      • Click Options
      • Select User mode – limited access – single window
        from the Console change mode dropdown
      • Click OK (take defaults)

    • Click Console
    • Click Save As…
    • Enter name of choice for the console (my policy, wayne’s local policy,
      user policy, whatever

    • Click Save
    • Exit Console1
    • Edit the local policies as you need
      your user console is part of your
      Admin Tools

      • Click Start
      • Select Programs
      • Select Administrative Tools
      • Select Wayne’s Local Policy
        or whatever you called the mmc console

  • Set NTFS permissions to explicitly deny read to folder %systemroot%\system32\GroupPolicy for the group you do not
    want tha policies to apply to.

    The %systemroot%\system32\GroupPolicy folder is
    hidden. You will have to change your folder options to display hidden files.


  • If admin is excluded from the policies, logoff and back on.
This
technique can be very useful in kiosk or shared PC environments. This tips is
Windows 2000 and Windows XP compatible.

David sent me the following valuable addition:

However I ran into a problem… I made the
%SystemRoot%\system32\GroupPolicy\ accessable by Administrator so I could run
gpedit.msc and edit the policy file and then would make the directory
un-accessable by administrator once I was done. However, some policies take
place as soon as you enable them, and I ended up locking myself out of the
policy editor 🙂

If you go in Computer Configuration\Administrative Templates\System\Group
Policy and end enable “Turn off background refresh of Group Policy”, then
reboot, it makes using local policies a little easier. It won’t enable policies
until the user logs back in, so you don’t screw the Administrator account while
logged on as it mucking around with the policies.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top