Monday, June 27, 2011

How to Use and Apply Group Policy to Limited Accounts Windows computer?

So I know how to access Group Policy in Windows. When I change things in there, like removing display settings from the control panel, they are only applied to the account that I accessed the gpedit.msc from, i.e. the admin account. They don’t rollover to the limited account, where I want them to be applied.
Also, is there a Group Policy that allows the limited account to repair a network connection, or is there a way to enable that setting from the limited account? I tried a batch file but the limited account doesn’t have the rights to do it.
First you have to give windows version.A user can be an administrator on a local machine without being a domain administrator.However, by default domain administrators are added to the local administrators group of the computers that belong to the domain. Domain controllers (Windows 2000 servers or Windows Server 2003 computers) don’t have functional local administrator accounts; a local administrator account is created when you set up the server, but is disabled when it is promoted to DC. Domain controllers are administered by members of the domain administrators group.
Some applications require that you be logged on as a local administrator to run them. When giving users administrative rights for this purpose, be sure you give them only local administrative rights; do not make them domain admins. You can add users’ Active Directory accounts to the local administrators group via a logon script or by using Restricted Groups for instructions on how to do this:
1. Start Active Directory Users and Computers, right-click the organizational
unit, and then click Properties.
2. Click the Group Policy tab, click NEW, and then name the policy.
3. Click the policy, and then click Edit.
4. Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.
5. Click Browse. Focused on the local computer, click the group to which you
want your global group to be a member (in this case, the "Administrators"
group), click ADD, and then click OK. You are returned to the group policy
and you see the administrators group listed in the Restricted Groups window.
Right-click the group, and then click Security.
6. To the right side of the Members of this Group box, click ADD, and then
click Browse.
7.Locate the group in the organizational unit that you want to place in the
administrators group, and then add it the group. After you do so, close the
group policy.
At a command prompt, type gpupdate /force, and then press ENTER.
In Windows Vista and later you can apply policies only to a specific account, but you have to load the group policy object editor from the Microsoft Management Console, not by opening the snapin directly.
1.Open mmc.exe
2.When the MMC console opens, click "File" -> "Add/remove snapin"
3.Select "Group Policy Object Editor" and click the "Add >" button
4.In the dialog which appears, click "Browse".
5.Click the "users" tab and select a user.
6.Click "OK", then "Finish", then "OK" again
You will now have a group policy user object for the selected user. Apply whatever restrictions you want. You may be interested in checking out "Hide these specified drives in My Computer" in User Configuration > Administrative Templates > Windows Components > Windows Explorer
You would have to makes these group policy changes from an administrator account, not from the limited account. So, if you forgot Windows admin password, you can not do changes with the group policy.
Of course, from this group policy settings, you can also reset your  Windows password with ease with the administrative account and password.

No comments:

Post a Comment