How do I apply restrictions on users except the administrator?

[Antoneo]

I am trying to use gpedit.msc to restrict my brother's account from certain things (ie. control panel) but have trouble doing so. I am running WindowsXP and last time I tried to do something like this was on my Win2k machine with disastrous results (I locked myself out). That wasn't much fun and now a few months later but still a newbie because I gave up on tinkering around with windows, I am back to managing user accounts on my new rig.

Ok, I am trying to apply certain settings to this computer only (not in a domain) and would like to do them without applying those restrictions on the administrator account as well. How do I do this? I am sure it involves gpedit.msc but can't seem to figure out how to do it to all the accounts EXCEPT the administrator. What is the difference between policies and profiles? Do I have to tinker with the registry as well?

TIA

 

[kursplat]

the help system (press F1 for help) for XP is very good for this type of thing. took alittle work but i've been able to figured out how to set permissions for 3 other people without too much trouble.
good luck

 

[NogginBoink]

Deny read and apply permissions to the GPO to the Administrators and/or Domain Administrators group.

 

[Antoneo]

Uhm well windows' help didn't do much good.

Deny read and apply permissions to the GPO to the Administrators and/or Domain Administrators group.

Sorry if I sound like an idiot but deny read permission to a certain file? if so where?

 

[kursplat]

open: control panel\administrative tools\local security policy. open the help menu at the top of the window. help topics should give you a good basis for what your trying to do.
good luck

 

[farmercal]

Why don't you just assign him a limited account. That's what I made son's account and he doesn't have the permissions needed to change anything like he did when he was an administrator account. Which means he can't go in and change my password again and lock me out of my acccount!

 

[Kobe08]

How do you assign a limited account?????

 

[NogginBoink]

Originally posted by: MistaEng
Uhm well windows' help didn't do much good.

Deny read and apply permissions to the GPO to the Administrators and/or Domain Administrators group.

Sorry if I sound like an idiot but deny read permission to a certain file? if so where?

No, permissions to the group policy object itself. The GPO should have a permissions tab.

 

[Antoneo]

Originally posted by: farmercal
Why don't you just assign him a limited account. That's what I made son's account and he doesn't have the permissions needed to change anything like he did when he was an administrator account. Which means he can't go in and change my password again and lock me out of my acccount!

Well, it is already a limited account, its just that I want to limit it even further.

Kobe08: You log in as administrator and go to the user accounts icon found in the control panel and change the user(s) from administrator to limited.

NogginBoink: I'll try that tonight, thanks.

 

[Kobe08]

Thanks MistaEng! 😀

 

[NogginBoink]

Aha! Found a good reference.

See the section "How to Filter the Scope of Group Policy According to Security Group Membership" of Q322176.

 

[Antoneo]

Thanks NogginBoink however the directions doesn't seem to work. Here is what I did:

Logged into my administrator account.
Clicked Start>Run
Typed in "gpedit.msc" and clicked "OK"

Now, when I right click on the root and click "properties" there is no such security tab... am I missing something here?

Can I just deny read permissions for administrator to the gpo folder?

Argg... sorry if I don't follow.

EDIT: Hmm... seems like I am opening up the local gpo... do I have to create a new gpo (as a standalone snap in) for each user and edit from there?

 

[Antoneo]

Hmm.. well it seems I don't have Active Directory (don't see it in my administrative tools)... is that a problem?

One method does seem to work however... I denied full control to the "%root/system32/Group Policy" folder after I fiddled with gpedit.msc and now only the settings apply to all users accept the administrator.

One drawback is that I can't control each account separately... 🙁