;) |
|
|
| Aug 04, 2002 | a newsletter from TechTarget |
|
|
Windows 2000 in the Enterprise: Technology strategies in action
|
|
|
|
|
|
Step-by-step guide: Filter to prevent administrator lockouts
by John Heuglin, Win2k and XP instructor, Louisville Technical Institute
"Help! I've locked myself out! What can I do?" That's one of the most frequently-asked questions in the SearchWindowsManageability's Ask the Expert mailbox. Don't get smug; it could happen to you.
Picture this: you are in workgroup or stand-alone environment where many users share a computer, and you need to place the computer on "lock down." For example, you want to remove the "Run" command. So, you log on as the administrator, open the local Group Policy and make the necessary change to remove the "Run" command. You log off, and go about your business. A few days later, you log on to the "locked down" computer and notice that you, the administrator, do not have the "Run" command. How can this be? You are the administrator, aren't you?
| S P O N S O R E D B Y : NetIQ |
|
|
Security Workshops from Microsoft and NetIQ!
Are you equipped to proactively defend your enterprise against threats from
malicious hackers attempting to break into your data center? Join Microsoft and
NetIQ, the Elite Force in Enterprise Security, to get the hand-to-hand tactics you
need to fight dangerous hacker exploits during our technical workshop series,
Digital Crime Prevention Labs.
Register before 8/15 to receive the $100 early bird discount!
|
|
The steps below will work with Windows 2000 and XP to help "filter" the administrator (or anyone else you choose) from being affected by the local Group Policy.
- Log on as the administrator.
- Click START>>>RUN and enter "GPEdit.MSC" - this will open the local Group Policy.
- Configure the appropriate Computer and User settings to "lock down" the machine (i.e. - Remove the Run command).
- Close the Policy window.
- In Windows Explorer, Right Click on "%systemroot%System32GroupPolicygpt.ini" and select Properties.
- Select the Security tab.
- Select the "Administrators" group in the Access Control List (ACL).
- Select the "Deny" box for Full Control and select OK.
- Log off/Log on as the administrator.
Once this task is completed, the administrator will no longer be affected by the local GPO, but all other users will. However, because you have denied yourself permission to read the local GPO, you cannot edit in the local Group Policy on the fly. You must go back in and uncheck the "Deny" permissions on the gpt.ini file prior to making changes to the local Group Policy.
About the author: John Heuglin is Microsoft Windows XP Professional and Windows 2000 Server Instructor at Louisville Technical Institute in Louisville, Ky. He holds N+, CNE, MCP+I, MCSA, MCSE(NT4/2K) and MCT certifications.
Do you have a Windows management or administration tip or shortcut to contribute to our new Step-by-Step Guide series? Then please send it to [EMAIL PROTECTED].
|
|
