Q

Creating a system policy to lock down all users except administrator

I want to create a Windows 2000 policy file and ensure it applies to all users of a computer except the administrator.

Brief: I am building a 'Master' Windows 2000 Pro machine to be imaged for distribution to around 25 machines in an education environment. The cloned machines will be connecting to a NT4 server on a domain. I am having difficulty locking down the machines for all users except the administrator (it's easy to lockdown all users including administrator).

Basically, I want to create a Win2k policy file and ensure it applies to all users of a computer except the administrator. Authentication will be provided by the NT4 DC. Local user profiles will be deleted on shutdown/startup, and roaming profiles are not going to be used.

Any assistance would be greatly appreciated.

The problem with NT 4.0 System Policies is that they change the operation of the machine on a more permanent basis then we administrators usually intend. So, say a domain user named Joe logs in to the machine. He has a very restrictive policy. The policy generally changes a bunch of registry options to lock down the machine. Now, Joe logs off. The settings imprinted in the registry (or tatooed as some MS literature says) are not removed when Joe logs out. Now the administrator logs in. Generally, you have made it so that the Administrator does not have a policy applied, figuring he will have free reign of the machine. Nope. You have to specifically great a system policy that counteracts each change your forced in Joe?s more restrictive policy. This will alter the registry settings back allowing the Administrator account access. Thankfully Windows 2000 Group Policies (created in Active Directory ) do NOT work this way.
This was first published in June 2002

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close