RE: [ActiveDir] Lock down server not in a domain using GPO

[Adams, Kenneth W \(Ken\)]

Title: Message

You can set the policy permissions to allow the local administrator account to read but not apply the policy.  Or, you can do what we do and create a special local account for policy administration and set that special account to read and not apply the policy. Ken Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, June 21, 2005 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Lock down server not in a domain using GPO We have a terminal server we would like to use for clients to access some of our data that they need and this server should be locked-down so the clients can only do what they need. The problem is that management would rather this server not be a member of our domain so we cannot use AD GPOs to lock the server down. I looked into using local policies to lock down the machine, but found out that they would also affect the administrator account unless that group/account is denied ‘read’ permissions to the “..\system32\grouppolicy” folder. However, would this not deny editing of the policies in the folder as well.   It has been suggested that we create a new AD domain solely for use with this terminal server. Is this a good idea? I tend to think this is too much solution.   Can anyone make any suggestions on the best way to accomplish our goals?     Thank you in advance, _________________________   Daniel DeStefano PC Support Specialist