Admin Tip #131: Lockdown by group using Local Computer Policy

Hits: Failed to execute CGI : Win32 Error Code = 3


You want to begin using some of the power of Active Directory's Group Policy Objects (GPO) but for many reasons, it is not available. You have been experimenting with securing your Windows 2000 boxes using the Local Computer Policy. Its a lot easier and safer to than registry hacks but you quickly learn that any policies set apply to everyone, including the administrator. Almost never what you want. If the %systemdrive% is NTFS, you can use NTFS file and directory permissions to get around this. Windows 2000 and Windows XP 's Local Computer Policy User policies depend on read access to the %systemroot%\system32\GroupPolicy folder. The trick: deny read access to any group you do not want the local policies to apply. This technology is limited in that you can only have two types of policies per system. This doubles the default. You have to go to Active Directory GPO's to implement a fully feature security model.

This technique can be very useful in kiosk or shared PC environments. This tips is Windows 2000 and Windows XP compatible.

David sent me the following valuable addition:

However I ran into a problem... I made the %SystemRoot%\system32\GroupPolicy\ accessable by Administrator so I could run gpedit.msc and edit the policy file and then would make the directory un-accessable by administrator once I was done. However, some policies take place as soon as you enable them, and I ended up locking myself out of the policy editor :)

If you go in Computer Configuration\Administrative Templates\System\Group Policy and end enable "Turn off background refresh of Group Policy", then reboot, it makes using local policies a little easier. It won't enable policies until the user logs back in, so you don't screw the Administrator account while logged on as it mucking around with the policies.