Hi Guys,
I want to touch on the Subject of Group Policies. More notably the Local Policies.
I am busy setting up some workstation machines for a shop. My idea is to severely limit the cashiers access to various features in Windows. GPO's for the local machine are perfect for this, however if you ever want to change something or try fix something, you would need to log out, and log back in as the administrator. I would like to however, try do something like that within the cashiers user account.
My idea is to be able to use the "run as" command on a saved console session. Then load up a template to allow privileges back, then once done fixing the issue load my normal template back in. I know that you can have templates on machines, however the settings that are available in the Security and Template manager, are not the same of those from the GPO.
Do you guys have any idea how i can achieve what i am describing?
Local Group Policies.
Re: Local Group Policies.
You cant, But read on 
Below is 'to my knowledge' and not facts
Microsoft wants you to buy a Windows Server setup with Active directory as a DC, and what you want to do is what you pay for.
These Template/settings you apply to computers in a DC environment, all they are is a bunch of registry settings which windows desktop machines act on.
If a user's PC had admin rights you can counter GPOs
E.G The admin forces your Internet Explorer to use proxy settings. You can either manually change the registry to not use the admin's settings or just change it
back in IE itself but then your PC polls the DC again and updates the settings running a 'gpupdate' command in the background.
as simple as that, and unfortunately when your PC is not connected to a DC the local security policies does not have all the features. (It does but its not available to the User ,but wil still act on them if you had to implement these setting in the registry.)
Actually these settings are only available on the DC server for security reasons.
But you do get utilities that can apply GPO .ADM templates to your local PC's but these are all thirdparty I.E http://www.petri.co.il/adding_new_admin ... to_gpo.htm its called GPMC works on both server 2003 and XP (Does not work on 7 just checked)
I recall using a tool like this in the past cant remember if it was this or not.
I would just create my own registry restrictions in one .Reg file.
One that restricts and one that allow
http://www.pctools.com/guides/
Is a huge database of handy registry hacks.
Hope this helped
Below is 'to my knowledge' and not facts
Microsoft wants you to buy a Windows Server setup with Active directory as a DC, and what you want to do is what you pay for.
These Template/settings you apply to computers in a DC environment, all they are is a bunch of registry settings which windows desktop machines act on.
If a user's PC had admin rights you can counter GPOs
E.G The admin forces your Internet Explorer to use proxy settings. You can either manually change the registry to not use the admin's settings or just change it
back in IE itself but then your PC polls the DC again and updates the settings running a 'gpupdate' command in the background.
as simple as that, and unfortunately when your PC is not connected to a DC the local security policies does not have all the features. (It does but its not available to the User ,but wil still act on them if you had to implement these setting in the registry.)
Actually these settings are only available on the DC server for security reasons.
But you do get utilities that can apply GPO .ADM templates to your local PC's but these are all thirdparty I.E http://www.petri.co.il/adding_new_admin ... to_gpo.htm its called GPMC works on both server 2003 and XP (Does not work on 7 just checked)
I recall using a tool like this in the past cant remember if it was this or not.
I would just create my own registry restrictions in one .Reg file.
One that restricts and one that allow
http://www.pctools.com/guides/
Is a huge database of handy registry hacks.
Hope this helped
_̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡ ̡͌l̡̡̡
Re: Local Group Policies.
Hi,
Thanks for you reply dude. I am rather surprised to find one
Well I managed to do a work around.
Those ADM files are for older windows ADMX files are templates that you load into the Group Policy management Console in Win 7 and Vista. They basically make more registry settings available to you, and are normally program specific (for example Media Player and Internet Explorer) I unfortunately did not have any luck this route, and could not load anything in....
Local Policies, are ignored when connected to the domain, but you see i use these computers in a store, 2 PC's nothing else. So i have no domain. I also agree that they obviously not nearly as powerful as those of the Domain policies, but they still do the trick.
Ok so, some things to note,
-Windows Vista introduced the ability to apply these local Policies per user, and not for the machine (Every user affected)
-All these Policy changes are kept in a .pol file which you can find in 'c:\windows\system32\Group Policies\user code\' (ok somewhere in there, i am not at work so i cannot get the exact path, but you should find it easy enough.
What i did, is i made a copy of that policy file when it had all the default settings, i then went and configured all that i needed to, and made a copy of that file. you can copy these files into another folder on your c drive.
I then made a bat file that copies one of these files into the proper Group Policy directory, and then the next line is GPUpdate. One thing i did note, is unfortunately not everything gets updated (especially if you reverting back to the default settings). A restart is required to bring everything to normal. Once your done you use another bat file that puts the restricted policy file back into the directory and gpudates.
I admit there is some bugs to work out, such as it would be nice not to restart sometimes, but this already helps me a lot to restrict users, and logging in remotely to do admin work, if i need to.
Excuse my typing and my sentence construction, i typed this while half asleep in a rush to get to work thanks again for the reply!
Regards,
Stuart (oops i mean Cupis)
Thanks for you reply dude. I am rather surprised to find one
Well I managed to do a work around.
Those ADM files are for older windows ADMX files are templates that you load into the Group Policy management Console in Win 7 and Vista. They basically make more registry settings available to you, and are normally program specific (for example Media Player and Internet Explorer) I unfortunately did not have any luck this route, and could not load anything in....
Local Policies, are ignored when connected to the domain, but you see i use these computers in a store, 2 PC's nothing else. So i have no domain. I also agree that they obviously not nearly as powerful as those of the Domain policies, but they still do the trick.
Ok so, some things to note,
-Windows Vista introduced the ability to apply these local Policies per user, and not for the machine (Every user affected)
-All these Policy changes are kept in a .pol file which you can find in 'c:\windows\system32\Group Policies\user code\' (ok somewhere in there, i am not at work so i cannot get the exact path, but you should find it easy enough.
What i did, is i made a copy of that policy file when it had all the default settings, i then went and configured all that i needed to, and made a copy of that file. you can copy these files into another folder on your c drive.
I then made a bat file that copies one of these files into the proper Group Policy directory, and then the next line is GPUpdate. One thing i did note, is unfortunately not everything gets updated (especially if you reverting back to the default settings). A restart is required to bring everything to normal. Once your done you use another bat file that puts the restricted policy file back into the directory and gpudates.
I admit there is some bugs to work out, such as it would be nice not to restart sometimes, but this already helps me a lot to restrict users, and logging in remotely to do admin work, if i need to.
Excuse my typing and my sentence construction, i typed this while half asleep in a rush to get to work
thanks again for the reply!Regards,
Stuart (oops i mean Cupis)
