Options

A Group policy question

canaancanaan Member Posts: 46 ■■□□□□□□□□
in Server 70-290
Does anybody know whre in GP editor(win 2003 server) you grant/deny users administrative previlage on their local pcs.??

Thank you in advance
· Share on FacebookShare on Twitter

Comments

  • Options
    rphannrphann Member Posts: 76 ■■□□□□□□□□
    I thought GP in Active Directory apply to domain user accounts. If you want to grant/deny users administrative privilege on the local pcs wouldn't you disable or apply them to the users/administrators group in Computer Management. Please tell me if I’m wrong.
    · Share on FacebookShare on Twitter
  • Options
    canaancanaan Member Posts: 46 ■■□□□□□□□□
    I could be wrong but I think there's a way to grant users admin previlage on their pc client, using GP( even if they don't have a windows account on it.)
    · Share on FacebookShare on Twitter
  • Options
    awaisyboyawaisyboy Member Posts: 75 ■■□□□□□□□□
    group policy- domains
    local policy - local computer

    u create domain accounts on active directory...

    changing ntfs/share permissions,setting up security policies requires GP on domain accounts.

    If u want to stop adminstrators to stop logging into their own local machine..u have to do it on the local policy on the local machine as technically they dont need to log onto a domain to log into the local machine.
    · Share on FacebookShare on Twitter
  • Options
    rphannrphann Member Posts: 76 ■■□□□□□□□□
    I agree with awaisyboy.

    group policy - domain
    local policy - local computer

    So this should answer your question; you can't apply GP on a local user account. icon_wink.gif
    · Share on FacebookShare on Twitter
  • Options
    keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    In your computer configuration settings on the policy you're applying, go to local policies>user rights and look for "deny logon locally" and "logon locally". Here is where you can control this. If you deny logon locally, it forces the users to use a domain account to logon to the computer, which domain accounts, groups, and OU's are where you should be controlling permissions and access. This link to an excel sheet on Microsofts website gives a listing of all the GP settings available by default. However you should know that you can create your own also.
    http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls
    Here's the link

    Users often bypass group policy settings by logging on locally. If they're forced to logn with a domain account, then they're forced to adhere to whatever settings group policy pushes down.
    http://resources.infosecinstitute.com/author/keatron
    · Share on FacebookShare on Twitter
  • Options
    awaisyboyawaisyboy Member Posts: 75 ■■□□□□□□□□
    keatron wrote:
    In your computer configuration settings on the policy you're applying, go to local policies>user rights and look for "deny logon locally" and "logon locally". Here is where you can control this. If you deny logon locally, it forces the users to use a domain account to logon to the computer, which domain accounts, groups, and OU's are where you should be controlling permissions and access. This link to an excel sheet on Microsofts website gives a listing of all the GP settings available by default. However you should know that you can create your own also.
    http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls
    Here's the link

    Users often bypass group policy settings by logging on locally. If they're forced to logn with a domain account, then they're forced to adhere to whatever settings group policy pushes down.

    exactly, good explanation of how to do it.
    · Share on FacebookShare on Twitter
  • Options
    canaancanaan Member Posts: 46 ■■□□□□□□□□
    Thanks guys for your replies. It was most helpful.

    E Canaan
    · Share on FacebookShare on Twitter
Sign In or Register to comment.