Local Group Policies
I have to lock down a pc today for public use. It will have only two local accounts: Administrator and Public I wanted to use local group policies to lock down the public acct. , but how do I set those policies so they don't affect the Administrator? I can give temporary admin rights to public and set the policies.
I have to lock down a pc today for public use. It will have only two local accounts: Administrator and Public
I wanted to use local group policies to lock down the public acct., but how do I set those policies so they don't affect the Administrator? I can give temporary admin rights to public and set the policies. But upon rebooting, both accounts are locked down, not just the public.
I wanted to use local group policies to lock down the public acct., but how do I set those policies so they don't affect the Administrator? I can give temporary admin rights to public and set the policies. But upon rebooting, both accounts are locked down, not just the public.
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
HOW TO: Restrict Group Membership By Using Group Policy in Windows 2000
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
This article was previously published under Q320045
IN THIS TASK
SUMMARY
Create a Group Policy Object
Configure Group Membership
Troubleshooting
REFERENCES
SUMMARY
This step-by-step article describes how to restrict group membership by using group policy.
In some cases, you may want to restrict the membership of certain groups in a Windows 2000 domain to prevent the addition of other user accounts to those groups.
back to the top
Create a Group Policy Object
To create a Group Policy Object (GPO) with which to restrict group membership:
Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, right-click your domain or the organizational unit in which you want to create the group policy, and then click Properties.
Click the Group Policy tab, and then click New.
Type the name that you want to call this policy (for example, Account restriction policy), and then press ENTER.
Click Close.
back to the top
Configure Group Membership
Start the Active Directory Users and Computers snap-in.
In the console tree, right-click your domain or the organizational unit that contains the group policy that you want, and then click Properties.
Click the Group Policy tab, select the group policy object that you want, and then click Edit.
Expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
Right-click Restricted Groups, and then click Add Group.
Click Browse, click the group that you want to add, (for example, click Backup Operators), and then click Add.
When you are finished adding groups, click OK.
In the Add Group dialog box, click OK.
The groups to which you want to restrict access are displayed in the right pane of the Group Policy snap-in.
Double-click a group in the right pane of the Group Policy snap-in. For example, double-click Backup Operators.
To restrict the membership of this group:
Click the Add button that corresponds to the Members of this group box.
Click Browse, click the user or group account that you want to add to the group, and then click Add.
When you are finished adding users or groups, click OK.
In the Add Member dialog box, click OK.
To restrict the groups to which this group can be a member:
Click the Add button that corresponds to the This group is a member of box.
Click Browse, click the group account to which you want to add this group, and then click Add.
When you are finished adding groups, click OK.
In the Group Membership dialog box, click OK.
In the Configure Membership for Group_name dialog box, click OK.
Quit the Group Policy snap-in, and then click OK.
back to the top
Troubleshooting
When you restrict group membership by using group policy, you may notice that you can still add users to a group to which they have been denied access. Changes to restricted groups remain in effect until group policy is refreshed. When group policy is refreshed, restricted group memberships are reapplied, removing any changes that are made to the membership of the restricted group. For additional information about how to refresh group policy, click the article number below to view the article in the Microsoft Knowledge Base:
227302 Using SECEDIT to Force a Group Policy Refresh Immediately
The default membership of a restricted group is no members. By leaving the group with the default membership of no members, you can provide additional security to groups to which you want to prevent membership. For example, you can use this method to ensure that no user accounts are members of the Guests group.
back to the top
REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
259576 Group Policy Application Rules for Domain Controllers
For more information about Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper at the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp
Or go here http://support.microsoft.com/default.aspx?scid=KB;en-us;320045&
Hope It Helps
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
This article was previously published under Q320045
IN THIS TASK
SUMMARY
Create a Group Policy Object
Configure Group Membership
Troubleshooting
REFERENCES
SUMMARY
This step-by-step article describes how to restrict group membership by using group policy.
In some cases, you may want to restrict the membership of certain groups in a Windows 2000 domain to prevent the addition of other user accounts to those groups.
back to the top
Create a Group Policy Object
To create a Group Policy Object (GPO) with which to restrict group membership:
Start the Active Directory Users and Computers snap-in. To do so, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
In the console tree, right-click your domain or the organizational unit in which you want to create the group policy, and then click Properties.
Click the Group Policy tab, and then click New.
Type the name that you want to call this policy (for example, Account restriction policy), and then press ENTER.
Click Close.
back to the top
Configure Group Membership
Start the Active Directory Users and Computers snap-in.
In the console tree, right-click your domain or the organizational unit that contains the group policy that you want, and then click Properties.
Click the Group Policy tab, select the group policy object that you want, and then click Edit.
Expand Computer Configuration, expand Windows Settings, and then expand Security Settings.
Right-click Restricted Groups, and then click Add Group.
Click Browse, click the group that you want to add, (for example, click Backup Operators), and then click Add.
When you are finished adding groups, click OK.
In the Add Group dialog box, click OK.
The groups to which you want to restrict access are displayed in the right pane of the Group Policy snap-in.
Double-click a group in the right pane of the Group Policy snap-in. For example, double-click Backup Operators.
To restrict the membership of this group:
Click the Add button that corresponds to the Members of this group box.
Click Browse, click the user or group account that you want to add to the group, and then click Add.
When you are finished adding users or groups, click OK.
In the Add Member dialog box, click OK.
To restrict the groups to which this group can be a member:
Click the Add button that corresponds to the This group is a member of box.
Click Browse, click the group account to which you want to add this group, and then click Add.
When you are finished adding groups, click OK.
In the Group Membership dialog box, click OK.
In the Configure Membership for Group_name dialog box, click OK.
Quit the Group Policy snap-in, and then click OK.
back to the top
Troubleshooting
When you restrict group membership by using group policy, you may notice that you can still add users to a group to which they have been denied access. Changes to restricted groups remain in effect until group policy is refreshed. When group policy is refreshed, restricted group memberships are reapplied, removing any changes that are made to the membership of the restricted group. For additional information about how to refresh group policy, click the article number below to view the article in the Microsoft Knowledge Base:
227302 Using SECEDIT to Force a Group Policy Refresh Immediately
The default membership of a restricted group is no members. By leaving the group with the default membership of no members, you can provide additional security to groups to which you want to prevent membership. For example, you can use this method to ensure that no user accounts are members of the Guests group.
back to the top
REFERENCES
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
259576 Group Policy Application Rules for Domain Controllers
For more information about Group Policy, see the "Introduction to Windows 2000 Group Policy" white paper at the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp
Or go here http://support.microsoft.com/default.aspx?scid=KB;en-us;320045&
Hope It Helps