How do I Lock-out GPO to Clients

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi

I need to lock-out a client with Admin rights from modifing the GPO or audit
his modification to GPO. I been seeing modifications to the GPO that is
strange. Is there a way toy to find out who is modidifing the GPO.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

if you want to prevent an admin from managing GPOs, then don't make them an
admin.
It does not matter if you set specific deny ACLs on GPOs. The admin can
take ownership of the object and grant herself access.
You can audit policy change. But the admin can stop auditing or can cover
her tracks by deleting the audit events in the security log.
It is pointless to go down this path. untrusted users should not be
administrators.

--
Glenn L
CCNA, MCSE 2000/2003 + Security

"DanielM" <DanielM@discussions.microsoft.com> wrote in message
news7430169-9C9C-4FD8-B105-226034A139B2@microsoft.com...
> Hi
>
> I need to lock-out a client with Admin rights from modifing the GPO or
> audit
> his modification to GPO. I been seeing modifications to the GPO that is
> strange. Is there a way toy to find out who is modidifing the GPO.
>
>