"Help! I've locked myself out! What can I do?" That's one of the most frequently-asked questions in the SearchWindowsManageability.com's Ask the Expert mailbox. Don't get smug; it could happen to you.
Picture this: you are in workgroup or stand-alone environment where many users share a computer, and you need to place the computer on "lockdown." For example, you want to remove the "Run" command. So, you log on as the administrator, open the local Group Policy and make the necessary change to remove the "Run" command. You log off, and go about your business. A few days later, you log on to the "locked down" computer and notice that you, the administrator, do not have the "Run" command. How can this be? You are the Administrator, aren't you?
The steps below will work with Windows 2000 and XP to help "filter" the administrator (or anyone else you choose) from being affected by the local Group Policy.
- Logon as the administrator.
- Click START>>>RUN and enter "GPEdit.MSC" – this will open the local Group Policy.
- Configure the appropriate Computer and User settings to "lock down" the machine (i.e. – Remove the Run command).
- Close the Policy window.
- In Windows Explorer, right click on "%systemroot%System32GroupPolicygpt.ini" and select Properties.
- Select the Security tab.
- Select the "Administrators" group in the Access Control List (ACL).
- Select the "Deny" box for Full Control and select OK.
- Log off/Log on as the administrator
About the author: John Heuglin is Microsoft Windows XP Professional and Windows 2000 Server Instructor at Louisville Technical Institute in Louisville, Ky. He holds N+, CNE, MCP+I, MCSA, MCSE(NT4/2K) and MCT certifications.