Step-by-step guide: Filter to prevent administrator lockouts

These steps will work with Windows 2000 and XP to help "filter" the Administrator from the local group policy.

This Content Component encountered an error

"Help! I've locked myself out! What can I do?" That's one of the most frequently-asked questions in the SearchWindowsManageability.com's Ask the Expert mailbox. Don't get smug; it could happen to you.

Picture this: you are in workgroup or stand-alone environment where many users share a computer, and you need to place the computer on "lockdown." For example, you want to remove the "Run" command. So, you log on as the administrator, open the local Group Policy and make the necessary change to remove the "Run" command. You log off, and go about your business. A few days later, you log on to the "locked down" computer and notice that you, the administrator, do not have the "Run" command. How can this be? You are the Administrator, aren't you?

The steps below will work with Windows 2000 and XP to help "filter" the administrator (or anyone else you choose) from being affected by the local Group Policy.

  1. Logon as the administrator.

  2. Click START>>>RUN and enter "GPEdit.MSC" – this will open the local Group Policy.

  3. Configure the appropriate Computer and User settings to "lock down" the machine (i.e. – Remove the Run command).

  4. Close the Policy window.

  5. In Windows Explorer, right click on "%systemroot%System32GroupPolicygpt.ini" and select Properties.

  6. Select the Security tab.

  7. Select the "Administrators" group in the Access Control List (ACL).

  8. Select the "Deny" box for Full Control and select OK.

  9. Log off/Log on as the administrator

Once this task is completed, the administrator will no longer be affected by the local GPO, but all other users will. However, because you have denied yourself permission to read the local GPO, you cannot edit it the local Group Policy on the fly. You must go back in and uncheck the "Deny" permissions on the gpt.ini file prior to making changes to the local Group Policy.

About the author: John Heuglin is Microsoft Windows XP Professional and Windows 2000 Server Instructor at Louisville Technical Institute in Louisville, Ky. He holds N+, CNE, MCP+I, MCSA, MCSE(NT4/2K) and MCT certifications.


This was first published in August 2002

Dig deeper on Microsoft Active Directory Tools and Troubleshooting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close