Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Hi,
spddemn@gmail.com schrieb:
> I am trying to GPO out access to the security settings tab on the C:, I
> have users that are local admins on there workstations as it is
> neccessary for one app we run.
Did your ever tried out "where" the missing permissions are?
Sysinternals filemon and regmon can filter the "access denied"
actions that occur by a user start of the program.
After that you can use Filestem und Registry inside the GPO
to adminstrate the local right on a client an give a usergroup
perhaps change or full permissions only on the section they need.
> But I do not want them accessing that security tab, Does
> anyone know where that GPO is? or how to go about it?
In XP there is a GPO, W2K doesnt have it.
XP: User\ADM Templates\Win-Components\Windows Explorer
"Remove "Security" Tab" (sounds like that ... sorry no engl. Version)
2000, set permissions on:
Filesystem: %systemroot%\system32\Rshx32.dll
Remove "Everyone" Read, add only your wanted group
Registry: CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C}
Remove "Everyone" Read, add only your wanted group
Easiest way to realize it: Take the GPO - Registry and Filesystem ...
If your are in this place of the GPO, you can figrue out, if the
Users really need local admin rights, because:
As a local Admin I can get back the permissions ... just use cacls,
xcacls.exe, xcacls.vbs, takeown, subinacl and a bunge of freeware
like setacl.exe to edit the security settings.
A Admin is a admin is a admin ...
Mark
--
Mark Heitbrink - MVP Windows Server
Homepage: www.gruppenrichtlinien.de
W2K FAQ :
http://w2k-faq.ebend.de
PM: Vorname@Homepage, Versende-Adresse wird nicht abgerufen.