Actually, you can't set the "Apply Group Policy" permission on the local GPO, since its only file system based. You can only set the permissions available within NTFS (on %windir%\system32\grouppolicy). I think the special account approach is probably your best bet. BTW, not that it helps much today, but I believe MS is looking to support multiple local GPOs in Longhorn :-)
________________________________ From: [EMAIL PROTECTED] on behalf of Adams, Kenneth W (Ken) Sent: Tue 6/21/2005 5:24 AM To: [email protected] Subject: RE: [ActiveDir] Lock down server not in a domain using GPO You can set the policy permissions to allow the local administrator account to read but not apply the policy. Or, you can do what we do and create a special local account for policy administration and set that special account to read and not apply the policy. Ken Adams -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, June 21, 2005 8:12 AM To: [email protected] Subject: [ActiveDir] Lock down server not in a domain using GPO We have a terminal server we would like to use for clients to access some of our data that they need and this server should be locked-down so the clients can only do what they need. The problem is that management would rather this server not be a member of our domain so we cannot use AD GPOs to lock the server down. I looked into using local policies to lock down the machine, but found out that they would also affect the administrator account unless that group/account is denied 'read' permissions to the "..\system32\grouppolicy" folder. However, would this not deny editing of the policies in the folder as well. It has been suggested that we create a new AD domain solely for use with this terminal server. Is this a good idea? I tend to think this is too much solution. Can anyone make any suggestions on the best way to accomplish our goals? Thank you in advance, _________________________ Daniel DeStefano PC Support Specialist
<<winmail.dat>>
