A Group policy question

Does anybody know whre in GP editor(win 2003 server) you grant/deny users administrative previlage on their local pcs.??

Thank you in advance

Find more posts tagged with

Comments

rphann

I thought GP in Active Directory apply to domain user accounts. If you want to grant/deny users administrative privilege on the local pcs wouldn't you disable or apply them to the users/administrators group in Computer Management. Please tell me if I’m wrong.

canaan

I could be wrong but I think there's a way to grant users admin previlage on their pc client, using GP( even if they don't have a windows account on it.)

awaisyboy

group policy- domains
local policy - local computer

u create domain accounts on active directory...

changing ntfs/share permissions,setting up security policies requires GP on domain accounts.

If u want to stop adminstrators to stop logging into their own local machine..u have to do it on the local policy on the local machine as technically they dont need to log onto a domain to log into the local machine.

rphann

I agree with awaisyboy.

group policy - domain
local policy - local computer

So this should answer your question; you can't apply GP on a local user account.

keatron

In your computer configuration settings on the policy you're applying, go to local policies>user rights and look for "deny logon locally" and "logon locally". Here is where you can control this. If you deny logon locally, it forces the users to use a domain account to logon to the computer, which domain accounts, groups, and OU's are where you should be controlling permissions and access. This link to an excel sheet on Microsofts website gives a listing of all the GP settings available by default. However you should know that you can create your own also.
http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls
Here's the link

Users often bypass group policy settings by logging on locally. If they're forced to logn with a domain account, then they're forced to adhere to whatever settings group policy pushes down.

awaisyboy

keatron wrote:

In your computer configuration settings on the policy you're applying, go to local policies>user rights and look for "deny logon locally" and "logon locally". Here is where you can control this. If you deny logon locally, it forces the users to use a domain account to logon to the computer, which domain accounts, groups, and OU's are where you should be controlling permissions and access. This link to an excel sheet on Microsofts website gives a listing of all the GP settings available by default. However you should know that you can create your own also.
http://download.microsoft.com/download/a/a/3/aa32239c-3a23-46ef-ba8b-da786e167e5e/PolicySettings.xls
Here's the link

Users often bypass group policy settings by logging on locally. If they're forced to logn with a domain account, then they're forced to adhere to whatever settings group policy pushes down.

exactly, good explanation of how to do it.

canaan

Thanks guys for your replies. It was most helpful.

E Canaan