Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up group policy on win 2000 no domain

Status
Not open for further replies.
rakone

rakone

Technical User
Feb 26, 2003
29
US
I recently posted a question on group policy setting for a win 2k work group computer with no domain and without running active directory.

My question was how do you set up the policy so it effects all “users” expect for “Administrator.”

I got a reply but when I tried it, doesn’t seem to work, is there something I’m not doing right. Here’s what I was told

If the volume is formatted using NTFS you can set Discretionary Access Control Lists
(DACLs) on the Group Policy object so that specified groups are either affected or
not affected by the settings contained within that Group Policy object.

Say, for example, that you want to use Group Policies to prevent members of all
groups but Administrators from running Network and Dial-up Connections. You would:

-- Log in as local Administrator

-- Run gpedit.msc
- Set to 0 (zero): User Configuration\Administrative Templates\System\Group
Policy: Group Policy refresh interval for users [Note: This is a precaution so that
policies does not get refreshed/applied in an untimely manner].
- Set to Enabled: User Configuration\Administrative Templates\Start Menu and
Taskbar: Remove Network and Dial-up Connections from the Start Menu.

-- Close gpedit.msc.

-- Use Explorer to navigate to: C:\WINNT\system32\GroupPolicy\User\Registry.pol
- Right-click this file and then click Properties
- Select the Security tab
- In the Name box select Administrators
- In the Permissions area click the Deny checkbox for Read

For more information about how "To set, view, change, or remove file and folder
permissions", search Windows 2000 Help for words in double-quotes.

To make subsequent changes to the local Group Policy object, you must give yourself
Read access to ...GroupPolicy\User\Registry.pol, make the changes, and then remove
Read access. Keep in mind if you fail to remove Read access, log off, then log back
on, all policies are going to apply to you. And depending on the policies that you
have set, this may or may not put you in a very difficult situation.
Carrie Garth, Microsoft MVP for Windows 2000


I did everything any advice would be helpful.

Thanks
rak
 
Sort by date Sort by votes
Yes that's how I changed the policy.
 
Upvote 0 Downvote
According to M$, to do this you have to modify the registry. What policies are you trying to enforce? I covered a similar problem in thread616-600916.
This is basically what I told him and it worked.
What you might try is logon as one of you "problem children". Run REGEDIT and navigate to \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Look and see if you can tell what key restricts the Display Properties. Then logon as Administrator and navigate to the same key and remove it. I don't know if this will work, but if you try it, make sure to keep very careful documentation of any changes you make in the registry to put them back if you notice trouble....
That was just for the display, you will have to find the correct key for what you are trying to do.


Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
You do not need to change the registry file at all(physically in regedit anyway). Follow these steps and your policy will work for everyone except administrator.
---Login As Administrator
1) Search for GPEDIT
2) Double Click GPEDIT when it comes up. Make sure you have hidden files enabled.
3) Set your group policy under user configuration.
4) Close out
---Test it for example if you removed the run command you should not see it in start, for now even as administrator, but we will change that in the following steps.
5) Search for registry.pol (probably 2 files will appear) Copy the one that has user configuration.
6) Paste it in a new folder on your desktop.
7) Repeat step 1
8) All the settengs that you enabled for the group policy you must now disable them. Do NOT chose NOT CONFIGURED. Make sure you chose disable.
9) Once you disable the settings that you enabled in step 3 copy the registry.pol that you put in a new folder on your desktop to

C:\Winnt\system32\grouppolicy(its a hidden folder)\user say yes to overwrite.
10) Log off and on as a regular user and the policy will be in affect. Then login as administrator and you will have no policy set on the same machine.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Keyboy
  • Locked
  • Question
Computer freezing up
Replies
3
Views
1K
Rick998
Rick998
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
302
pjw001
pjw001
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
598
Flinx
Flinx
pjw001
  • Locked
  • Question
Programs not loading on Windows 11 Version 22H2.
Replies
9
Views
441
pjw001
pjw001
pjw001
  • Locked
  • Question
Latest Windows Update - End of Service
Replies
2
Views
904
pjw001
pjw001

Part and Inventory Search

Sponsor

Back
Top