January 13th, 2003, 10:13 PM
Security settings for users in W2K
Lately we have been given the task of locking down stand-alone W2K pro boxes. The catch is that the admin account must retain full access while the user account have the defined restrictions imposed.
In the past, I have used POLEDIT to achieve this but I can see by the design of the MS Group Policy Editor that this will not be so easy.
So far, I went to Microsoft who gave me a technet article which describes how to shift the Registry.pol file around to achieve what I need. This has failed. I found several edited versions of this doc all which have also failed.
After screaming about this for a while, I decided to manually edit the user's hive and found that this does work. I had to make the user an admin so that I could add keys and then I went on my merry way locking down the user. At the end of this exercise, I removed admin rights on the user account and everything was set.
Now, does anyone know of a utility that will do this for me? Somethingg that has the power of Group Policy Editor yet will work on local users (Local Policy Editor if you will). I know that Microsoft does not have one and I haven't seen one on the web. If no one has a lead on this, I think I will write my own and post a link to it as this has burnt about 6 hours of my time. Oh yes, I did export this registry so that I can use it to build an app that will allow me to do this with a nice HTML front end with checkboxes and such. I will be using Perl to build the backend.
Any thoughts would be most welcome.
January 14th, 2003, 12:22 AM
Hey thehorse13. It sounds like you have taken on a neat little project there. I wish I had the patience and the programming knowledge to do so. Now, I was thinking that there is a Local Policy snap-in for the mmc that will allow you to modify the configuration for particular users or for the whole machine. If you type "mmc" from a run prompt, then add the Local Security Policy snap-in from the list of choices, you should be able to get to it from the console. I don't know whether this is in Admin Tools by default, but you could check. If you don't have the Admin Tools in your start menu (which they aren't by default, I believe), then you can right-click any blank space on your toolbar and choose properties. Then, there should be an option to check a box for Admin tools to appear in the programs. It may be in the second tab at the top of the dialog box. I am on an XP machine right now, so I am not altogether sure. Another suggestion would be to install the resource kit for pro and/or server to see if there is a tool of the nature of which you seek. I hope this helps. Take care.
Opinions are like
holes - everybody\'s got\'em.
January 14th, 2003, 02:14 AM
Run: mmc -> "Console" -> "Open" -> browse to %systemdir% (c:\winnt\system32) -> open "gpedit.msc"
And there you have it all! Much easier to manage that poledit, and more options too...
Credit travels up, blame travels down -- The Boss
January 14th, 2003, 10:16 AM
You can still download poledit (all windows versions) right here .
You can download templates here .
January 14th, 2003, 11:06 AM
Thanks for all the input.
I started out using the local policy editor but it lacked some lockbown features that were outlined. I also tried the old school Policy editor and Group Policy editor. Both did not yield the desired results because the changes, although assigned to users, carried over to the Admin account too.
The templates (inf files) are all very good starting points. The center for internet security has a few that are ramped up to NSA specs. They also have a nice baseline security analyzer much like Micro$ofts. Putting this on the box was no problem at all.
Well I think I may have to develop a little tool for now. When I'm finished, I'll throw a link up here.
Well, now I'm off to yell at Cisco since they broke the ActiveX filter in their latest update for PIX firewall. It is always nice to tell their engineers what they broke! :-) Oh yeah, did I mention that it blocks half the ActiveX controls for Windows Update??!! The end result is that you get a nag screen from Micro$oft that says that WindowsUdate is for Admin use only even though the Admin is logged on. HAHA.
Thanks again for the comments and suggestions.
January 15th, 2003, 09:32 AM
how to apply policies to all local users except administrator
Also if you take away the read rights to the policy files for administrator he can't read the policy therefore it does not apply.
January 15th, 2003, 11:40 AM
I'll give this a try.