Sign in with
Sign up | Sign in
Your question

How do I Lock-out GPO to Clients

Last response: in Windows 2000/NT
Share
Anonymous
December 29, 2004 8:11:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

I need to lock-out a client with Admin rights from modifing the GPO or audit
his modification to GPO. I been seeing modifications to the GPO that is
strange. Is there a way toy to find out who is modidifing the GPO.

More about : lock gpo clients

Anonymous
December 29, 2004 10:51:04 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

if you want to prevent an admin from managing GPOs, then don't make them an
admin.
It does not matter if you set specific deny ACLs on GPOs. The admin can
take ownership of the object and grant herself access.
You can audit policy change. But the admin can stop auditing or can cover
her tracks by deleting the audit events in the security log.
It is pointless to go down this path. untrusted users should not be
administrators.

--
Glenn L
CCNA, MCSE 2000/2003 + Security

"DanielM" <DanielM@discussions.microsoft.com> wrote in message
news:D 7430169-9C9C-4FD8-B105-226034A139B2@microsoft.com...
> Hi
>
> I need to lock-out a client with Admin rights from modifing the GPO or
> audit
> his modification to GPO. I been seeing modifications to the GPO that is
> strange. Is there a way toy to find out who is modidifing the GPO.
>
>
!