local group policy - how to apply to only certain people or groups

local group policy - how to apply to only certain people or groups

Post by j » Sun, 23 Dec 2001 06:01:21



I need to know how to configure local group policy so that it only
applies to certain groups of users.  Right now, by default, any change
made in the mmc applies to all users on the pc.  I want to exempt the
Administrator or people in the Administrator group on my NT network
from this policy.  I want only people in the endusers group to be
effected.

Thanks.

 
 
 

local group policy - how to apply to only certain people or groups

Post by Formic » Mon, 24 Dec 2001 08:50:22


In the security properties for the policy explicitly Deny the "Apply Group
Policy"
right for your Administrators group.  This will cause the policy to be
applied to
everyone except the Admins.


Quote:> I need to know how to configure local group policy so that it only
> applies to certain groups of users.  Right now, by default, any change
> made in the mmc applies to all users on the pc.  I want to exempt the
> Administrator or people in the Administrator group on my NT network
> from this policy.  I want only people in the endusers group to be
> effected.

> Thanks.


 
 
 

local group policy - how to apply to only certain people or groups

Post by Roger Abel » Mon, 24 Dec 2001 16:48:03



Quote:> In the security properties for the policy explicitly Deny the "Apply Group
> Policy"
> right for your Administrators group.  This will cause the policy to be
> applied to
> everyone except the Admins.

Can we say _local_ group policy ?  You replied for GPOs in AD.

--
Roger Abell
MS MVP (Windows Platform)



> > I need to know how to configure local group policy so that it only
> > applies to certain groups of users.  Right now, by default, any change
> > made in the mmc applies to all users on the pc.  I want to exempt the
> > Administrator or people in the Administrator group on my NT network
> > from this policy.  I want only people in the endusers group to be
> > effected.

> > Thanks.

 
 
 

local group policy - how to apply to only certain people or groups

Post by Roger Abel » Mon, 24 Dec 2001 16:50:39



Quote:> I need to know how to configure local group policy so that it only
> applies to certain groups of users.  Right now, by default, any change
> made in the mmc applies to all users on the pc.  I want to exempt the
> Administrator or people in the Administrator group on my NT network
> from this policy.  I want only people in the endusers group to be
> effected.

Well, you really cannot do that in any supported way.
You can deny read to the Administrators on the Group Policy
directory in system32, but you will have a song and dance
when you want to edit and alter the settings.

--
Roger Abell
MS MVP (Windows Platform)

 
 
 

local group policy - how to apply to only certain people or groups

Post by Formic » Tue, 25 Dec 2001 01:32:59


My bad.




> > In the security properties for the policy explicitly Deny the "Apply
Group
> > Policy"
> > right for your Administrators group.  This will cause the policy to be
> > applied to
> > everyone except the Admins.

> Can we say _local_ group policy ?  You replied for GPOs in AD.

> --
> Roger Abell
> MS MVP (Windows Platform)



> > > I need to know how to configure local group policy so that it only
> > > applies to certain groups of users.  Right now, by default, any change
> > > made in the mmc applies to all users on the pc.  I want to exempt the
> > > Administrator or people in the Administrator group on my NT network
> > > from this policy.  I want only people in the endusers group to be
> > > effected.

> > > Thanks.

 
 
 

local group policy - how to apply to only certain people or groups

Post by j » Tue, 25 Dec 2001 22:53:12


so if i understand it, the only way to do this is through AD on WIN2k
Server?

Ouch....we are still a number of months away from upgrading our nt
servers to 2k...figured is win9x had the capability (although unstable
as hell), 2k pro should be able to do it...





>> I need to know how to configure local group policy so that it only
>> applies to certain groups of users.  Right now, by default, any change
>> made in the mmc applies to all users on the pc.  I want to exempt the
>> Administrator or people in the Administrator group on my NT network
>> from this policy.  I want only people in the endusers group to be
>> effected.

>Well, you really cannot do that in any supported way.
>You can deny read to the Administrators on the Group Policy
>directory in system32, but you will have a song and dance
>when you want to edit and alter the settings.

 
 
 

local group policy - how to apply to only certain people or groups

Post by Roger Abel » Fri, 28 Dec 2001 03:47:28


What you have done with Win9x is apply system policy,
which you can do for W2k clients also when in an NT 4
environment.  However, you where asking about group
policy which is different from system policy.
system policy can be set and applied as before using
the poledit.exe tool.

--
Roger Abell
MS MVP (Windows Platform)


> so if i understand it, the only way to do this is through AD on WIN2k
> Server?

> Ouch....we are still a number of months away from upgrading our nt
> servers to 2k...figured is win9x had the capability (although unstable
> as hell), 2k pro should be able to do it...





> >> I need to know how to configure local group policy so that it only
> >> applies to certain groups of users.  Right now, by default, any change
> >> made in the mmc applies to all users on the pc.  I want to exempt the
> >> Administrator or people in the Administrator group on my NT network
> >> from this policy.  I want only people in the endusers group to be
> >> effected.

> >Well, you really cannot do that in any supported way.
> >You can deny read to the Administrators on the Group Policy
> >directory in system32, but you will have a song and dance
> >when you want to edit and alter the settings.

 
 
 

local group policy - how to apply to only certain people or groups

Post by JA » Sat, 29 Dec 2001 20:55:09


Review Q293655 - "How to Apply Local Policies to all Users Except
Administrators in a workgroup environment"

> What you have done with Win9x is apply system policy,
> which you can do for W2k clients also when in an NT 4
> environment.  However, you where asking about group
> policy which is different from system policy.
> system policy can be set and applied as before using
> the poledit.exe tool.

> --
> Roger Abell
> MS MVP (Windows Platform)



> > so if i understand it, the only way to do this is through AD on WIN2k
> > Server?

> > Ouch....we are still a number of months away from upgrading our nt
> > servers to 2k...figured is win9x had the capability (although unstable
> > as hell), 2k pro should be able to do it...





> > >> I need to know how to configure local group policy so that it only
> > >> applies to certain groups of users.  Right now, by default, any change
> > >> made in the mmc applies to all users on the pc.  I want to exempt the
> > >> Administrator or people in the Administrator group on my NT network
> > >> from this policy.  I want only people in the endusers group to be
> > >> effected.

> > >Well, you really cannot do that in any supported way.
> > >You can deny read to the Administrators on the Group Policy
> > >directory in system32, but you will have a song and dance
> > >when you want to edit and alter the settings.

 
 
 

local group policy - how to apply to only certain people or groups

Post by Roger Abel » Sun, 30 Dec 2001 02:34:28



Quote:> Review Q293655 - "How to Apply Local Policies to all Users Except
> Administrators in a workgroup environment"

PITA with more than a few users and a few machines
It is easier to just Deny read to the Administrators if that is
the desired effect.
 
 
 

local group policy - how to apply to only certain people or groups

Post by Thomas W. Eato » Mon, 31 Dec 2001 08:32:00


It took me a while to figure it out but it's realy not
that difficult. Create a second user with administrator
rights, "you should do this anyway". give the first user
Full permissions to the GroupPolicy folder in System32 and
Deny all permissions to the second user. Then creat a
shortcut to Gpedit.msc on the desktop while logged in as
the second user. Open the properties for that shortcut and
check the box that say's "Run as a different user". Every
time you double click this Icon you will be prompted for a
user name and password. Group Policy will run as if you
were logged in as that other user allowing you to make
changes without effecting your current user account. Once
Group Policy is running you can open the local computer
properties dialog and dissable the computer or user
configuration settings so that you can login to annother
user without the policies effecting it.
>-----Original Message-----


>> I need to know how to configure local group policy so
that it only
>> applies to certain groups of users.  Right now, by
default, any change
>> made in the mmc applies to all users on the pc.  I want
to exempt the
>> Administrator or people in the Administrator group on
my NT network
>> from this policy.  I want only people in the endusers
group to be
>> effected.

>Well, you really cannot do that in any supported way.
>You can deny read to the Administrators on the Group
Policy
>directory in system32, but you will have a song and dance
>when you want to edit and alter the settings.

>--
>Roger Abell
>MS MVP (Windows Platform)

>.

 
 
 

local group policy - how to apply to only certain people or groups

Post by j » Mon, 31 Dec 2001 10:37:39


right...the solution was to deny read to the registry.pol for
administrators.  





>> Review Q293655 - "How to Apply Local Policies to all Users Except
>> Administrators in a workgroup environment"

>PITA with more than a few users and a few machines
>It is easier to just Deny read to the Administrators if that is
>the desired effect.