Step-by-step guide: Filter to prevent administrator lockouts

John Heuglin, Windows 2000 and XP instructor

"Help! I've locked myself out! What can I do?" That's one of the most frequently-asked questions in the SearchWindowsManageability.com's Ask the Expert mailbox. Don't get smug; it could happen to you.

Picture this: you are in workgroup or stand-alone environment where many users share a computer, and you need to place the computer on "lockdown." For example, you want to remove the "Run" command. So, you log on as the administrator, open the local Group Policy and make the necessary change to remove the "Run" command. You log off, and go about your business. A few days later, you log on to the "locked down" computer and notice that you, the administrator, do not have the "Run" command. How can this be? You are the Administrator, aren't you?

The steps below will work with Windows 2000 and XP to help "filter" the administrator (or anyone else you choose) from being affected by the local Group Policy.

  1. Logon as the administrator.

  2. Click START>>>RUN and enter "GPEdit.MSC" – this will open the local Group Policy.

  3. Configure the appropriate Computer and User settings to "lock down" the machine (i.e. – Remove the Run command).

  4. Close the Policy window.

  5. In Windows Explorer, right click on "%systemroot%System32GroupPolicygpt.ini" and select Properties.

  6. Select the Security tab.

  7. Select

Requires Free Membership to View

  1. the "Administrators" group in the Access Control List (ACL).

  2. Select the "Deny" box for Full Control and select OK.

  3. Log off/Log on as the administrator

Once this task is completed, the administrator will no longer be affected by the local GPO, but all other users will. However, because you have denied yourself permission to read the local GPO, you cannot edit it the local Group Policy on the fly. You must go back in and uncheck the "Deny" permissions on the gpt.ini file prior to making changes to the local Group Policy.

About the author: John Heuglin is Microsoft Windows XP Professional and Windows 2000 Server Instructor at Louisville Technical Institute in Louisville, Ky. He holds N+, CNE, MCP+I, MCSA, MCSE(NT4/2K) and MCT certifications.

This was first published in August 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.