awesome. i think i am going to stick with the standard setup for now. but this is great information for the future. thanks! On Dec 26, 2007 11:59 AM, TSguy92 Lan <tsguy92@xxxxxxxxx> wrote: > From what I've read of your question. You want to enforce some restrictive > computer level policy settings on all your end users and have that setting > not affect your administrators when they login to those machines. > > Actually, to a very limited degree you can do this...MS has some KB's on > how to do this with servers in a workgroup. > > Check out: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;325351 = Q325351 – > how to apply local policies to all users except for administrators on > Windows 2003 servers in a workgroup. > > http://support.microsoft.com/default.aspx?scid=kb;en-us;293655 = Q293655 – > "……………………………………………………………………………" Windows 2000 servers in a workgroup. > > Having run into a similar issue in the past myself, I found the above > articles, and ended up using my own methodology (listed below) to setup a > machine level policy on a server that affected users only, and not > administrators. One thing to keep in mind with this alternative setup is > that these settings are being done via " Gpedit.msc" the local group > policy editor on each server. These settings can't be defined and > manipulated for multiple systems at an OU level, they should be done Per > machine. > > I cannot stress enough however, that it's very easy to lock yourself > "admins" out of a system if you make a mistake with these changes. I'd > highly suggest testing this out with non-production systems first, and if > you're comfortable with the process, then move up to enforcing these > settings to your live systems. > > 1. As an admin account login to the machine you want to lock down. > > 2. go to 'start' – 'run' – and type 'gpedit.msc' – press enter. > > 3. configure all the computer level restrictions you want. > > a. Note as soon as you close this window your session (if on > a windows 2003 server) will have applied all the restrictions you've setup. > > 4. Log off from the console of the machine. > > 5. Login to *a different machine in the domain *as an admin account. > > > 6. go to 'start' – 'run' and type \\machinename\c$ (in order to > remotely get to the C: drive of the machine you just used gpedit.msc on) > > 7. Once connected to the remote systems' c:, browse to C:\windows ( > winnt for win2k)\system32, and find the "hidden" folder called " > GroupPolicy" > > 8. check the NTFS permissions on this folder, and set a "*deny*" > permission for administrators, in "*reading *" this folder. > > a. *Do not make any permissions changes to 'system', or > 'authenticated users'.* > > b. Do not add in groups / users to this permissions area. > > c. Do not remove any groups / users from this permissions area. > > 9. Login to the restricted machine as an administrative account to > verify the restrictions are not affecting the admin session. > > a. In some cases, it is necessary to delete and recreate the > admins local profile on the locked down machine to clean up restrictions > which may have been applied in step 3a. > > This setup has some benefits and some negatives attached. This can be very > useful in setting up group policy like restrictions for 'roaming laptops' or > for machines that aren't part of a domain. However, administration on the > policies takes some work, as you have to reverse steps 7 through 9 and grant > the Admins permissions to the 'group policy' folder again, to be able to > edit the policy if needed. > > Be careful with this setup and try out just a few restrictions first so > you can see what steps will have to be used to allow admins back in to > modify the system. > HTH > > Lan > > > On Dec 22, 2007 8:29 AM, Jon Luchette <jon.e.luchette@xxxxxxxxx> wrote: > > > ok thanks! so I cannot have different machine policies for different > > groups of users? > > > > On 12/22/07, Greg Reese <gareese@xxxxxxxxx> wrote: > > > computer settings will apply for everyone, user settings will apply to > > each > > > group. > > > > > > I usually setup mine similar. it works pretty well. For the sake of > > staying > > > organized, I try to keep all the machine policies in a single place. > > > > > > also, don't mess with domain admins when setting permissions on these. > > Make > > > a separate group. I have locked myself out of things many times by > > screwing > > > up the permissions on a gpo and the domain admins group. > > > > > > > > > On 12/21/07, Jon Luchette < jon.e.luchette@xxxxxxxxx> wrote: > > > > > > > > I have one group of 3 citrix servers. I have created a separate OU > > > > for citrix servers and moved all 3 computer accounts into it. what I > > > > want to do is enforce two policies at this level. one for admins and > > > > > > one for non admins.if I create one policy for admins and set the > > read > > > > and apply group policy permission for their geoup in AD, and do the > > > > same for the non admins with another policy, will both groups apply > > > > their own user and computer settings or will just their user > > settings > > > > be unique? > > > > > > > > On 12/21/07, Greg Reese <gareese@xxxxxxxxx> wrote: > > > > > seperate the machines by OU and only link the policies you want > > applied > > > > to > > > > > OU you want them applied to. > > > > > > > > > > > > > > > > > > > > > > > > > On 12/21/07, Jon Luchette <jon.e.luchette@xxxxxxxxx> wrote: > > > > > > > > > > > > I want to enable different computer configuration settings for > > > > different > > > > > > groups of users in AD on some 2003 terminal servers. Is that > > > > possible? > > > > > > How? I know about loopback and everything, but that is mostly > > > > controlling > > > > > > how the user level GPOs are applied... > > > > > > > > > ************************************************ > > > > For Archives, RSS, to Unsubscribe, Subscribe or > > > > set Digest or Vacation mode use the below link: > > > > //www.freelists.org/list/thin > > > > ************************************************ > > > > > > > > > ************************************************ > > For Archives, RSS, to Unsubscribe, Subscribe or > > set Digest or Vacation mode use the below link: > > //www.freelists.org/list/thin > > ************************************************ > > > >