windows 2000 security help

[mchang0]

I'm trying to set policies for computers in a computer lab for Windows 2000. When ever I restrict the desktop settings under the student account, it restricts it on the administrator account. Is there a way to just restrict the student account?

Basically, it's a computer lab for a YMCA. There's a student account, administrator account, and 2 supervisor accounts. I want the student account severely restricted, like no changing settings/ access to folders where they can delete files.

obviously I want the administrator account to be able to have full privilages. And the other 2 accounts to have somewhat restricted privilages.

Thanks,
Michael Chang

 

[Nothinman]

There's no straight forward way to do this without AD that we could find, sort of MS pushing you to buy more sh!t from them.

But if you do this it works well:

Create a new account called PolicyAdmin, this will be used to change any of the policies later on.
Deny Administrator any access to the folder containing the policy files (can't remeber the path off hand, but I can get it for you if you don't know it)
Allow PolicyAdmin full rights to the folder containing the policy files

Since Administrator can't read the policy files they won't be in place for him, to change the policies with PolicyAdmin use the "Run As" feature in Win2K.

 

[SaigonK]

This is a "feature", you cant push policies to one user specifically in 2k...it's all or nothing.
YOu need to be using Active Directory to push single user policies to indivudal users.
There is a wa y to assign policies like under Windows NT 4 but i have not used it much since we use Novell and we can push to individual users/objects without issue.