PDA

View Full Version : Editing gpedit.msc for Certain users only

reginalimys@gmail.com
10-25-2005, 10:18 AM
Hi all,

I need to configre my Win2k Stnd Server to Remove the Run menu from the
Start Menu. But editing this in gpedit.msc will applies to all user who
login to that server. Does this include adminstrator? And how can I
restrict this just for certain users or a group of users?

Thanks in advance!

Regards,
Regina Lim
Paul Hinsberg
10-25-2005, 05:34 PM
You have a couiple of options:

1) You could create a separate OU and put the Administrators in that OU. In
that OU create a policy that specifically couteracts the one that you have
created for the rest of the domain. The policy on the OU will overwrite the
policy on the Domain.

2) Create a policy whose only change is to remote the Run Menu. Apply it to
the domain so that you now have two policies - Default Domain Policy and
Remove Menu Policy. Then adust the permissions on the Remove Menu Policy so
that Administrators cannot read/apply it. Then, the policy will not apply to
them.

As a suggestion, I would use the Group Policy Manager (downloaded from
www.microsoft.com/downloads) so that you can test the applied policies and
manage the multiple policies a little easier.

Paul Hinsberg, MCSE

<reginalimys@gmail.com> wrote in message
news:1130231924.804062.99460@g49g2000cwa.googlegroups.com...
> Hi all,
>
> I need to configre my Win2k Stnd Server to Remove the Run menu from the
> Start Menu. But editing this in gpedit.msc will applies to all user who
> login to that server. Does this include adminstrator? And how can I
> restrict this just for certain users or a group of users?
>
> Thanks in advance!
>
> Regards,
> Regina Lim
>
reginalimys@gmail.com
10-26-2005, 08:10 AM
Hi all,

Thanks for the reply. Sorry for not being clear.

What I want to achieve is when groupABC (domain group) login to
serverXYZ
(server is on the domain), the RUN option is not available on the Start
Menu.

Any other users or group who login to serverXYZ will be able to see the
RUN option.

But when groupABC login to any other servers on the network, the RUN
option will still be available for them.

Policy is we cannot use local group and this server has to be part of
the domain.

Hope I am clearer this time.

Thank you!

Regards,
Regina Lim

Paul Hinsberg wrote:
> You have a couiple of options:
>
> 1) You could create a separate OU and put the Administrators in that OU. In
> that OU create a policy that specifically couteracts the one that you have
> created for the rest of the domain. The policy on the OU will overwrite the
> policy on the Domain.
>
> 2) Create a policy whose only change is to remote the Run Menu. Apply it to
> the domain so that you now have two policies - Default Domain Policy and
> Remove Menu Policy. Then adust the permissions on the Remove Menu Policy so
> that Administrators cannot read/apply it. Then, the policy will not apply to
> them.
>
> As a suggestion, I would use the Group Policy Manager (downloaded from
> www.microsoft.com/downloads) so that you can test the applied policies and
> manage the multiple policies a little easier.
>
> Paul Hinsberg, MCSE
>
> <reginalimys@gmail.com> wrote in message
> news:1130231924.804062.99460@g49g2000cwa.googlegroups.com...
> > Hi all,
> >
> > I need to configre my Win2k Stnd Server to Remove the Run menu from the
> > Start Menu. But editing this in gpedit.msc will applies to all user who
> > login to that server. Does this include adminstrator? And how can I
> > restrict this just for certain users or a group of users?
> >
> > Thanks in advance!
> >
> > Regards,
> > Regina Lim
> >
Kevin D. Goodknecht Sr. [MVP]
10-27-2005, 12:58 PM
reginalimys@gmail.com wrote:
> Hi all,
>
> Thanks for the reply. Sorry for not being clear.
>
> What I want to achieve is when groupABC (domain group) login to
> serverXYZ
> (server is on the domain), the RUN option is not available on the
> Start Menu.
>
> Any other users or group who login to serverXYZ will be able to see
> the RUN option.
>
> But when groupABC login to any other servers on the network, the RUN
> option will still be available for them.
>
> Policy is we cannot use local group and this server has to be part of
> the domain.

Create a new OU in ADU&C, then create a a new Group Policy for this OU that
removes the Run from the start menu, then move these users to this OU. The
only deal is, this policy will apply to any machine they login on.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
reginalimys@gmail.com
10-31-2005, 03:47 AM
Hi Kelvin,

That's the prob. It's only for some machine and not all the servers
they login to.

Maybe the next version of Windows can rectify this :-)

Regards,
Regina Lim

Kevin D. Goodknecht Sr. [MVP] wrote:
> reginalimys@gmail.com wrote:
> > Hi all,
> >
> > Thanks for the reply. Sorry for not being clear.
> >
> > What I want to achieve is when groupABC (domain group) login to
> > serverXYZ
> > (server is on the domain), the RUN option is not available on the
> > Start Menu.
> >
> > Any other users or group who login to serverXYZ will be able to see
> > the RUN option.
> >
> > But when groupABC login to any other servers on the network, the RUN
> > option will still be available for them.
> >
> > Policy is we cannot use local group and this server has to be part of
> > the domain.
>
> Create a new OU in ADU&C, then create a a new Group Policy for this OU that
> removes the Run from the start menu, then move these users to this OU. The
> only deal is, this policy will apply to any machine they login on.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
reginalimys@gmail.com
10-31-2005, 03:47 AM
Hi Kelvin,

That's the prob. It's only for some machine and not all the servers
they login to.

Maybe the next version of Windows can rectify this :-)

Regards,
Regina Lim

Kevin D. Goodknecht Sr. [MVP] wrote:
> reginalimys@gmail.com wrote:
> > Hi all,
> >
> > Thanks for the reply. Sorry for not being clear.
> >
> > What I want to achieve is when groupABC (domain group) login to
> > serverXYZ
> > (server is on the domain), the RUN option is not available on the
> > Start Menu.
> >
> > Any other users or group who login to serverXYZ will be able to see
> > the RUN option.
> >
> > But when groupABC login to any other servers on the network, the RUN
> > option will still be available for them.
> >
> > Policy is we cannot use local group and this server has to be part of
> > the domain.
>
> Create a new OU in ADU&C, then create a a new Group Policy for this OU that
> removes the Run from the start menu, then move these users to this OU. The
> only deal is, this policy will apply to any machine they login on.
>
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
SIME U via WinServerKB.com
10-31-2005, 11:39 PM
Hi

Is it not possible to use security filtering the GPMC to filter the policy to
just one group (groupABC) and then link the policy to the OU wit only
serverXYZ in?

What am I missing?

S

reginalimys@gmail.com wrote:
>Hi Kelvin,
>
>That's the prob. It's only for some machine and not all the servers
>they login to.
>
>Maybe the next version of Windows can rectify this :-)
>
>Regards,
>Regina Lim
>
>> > Hi all,
>> >
>[quoted text clipped - 40 lines]
>> http://www.oehelp.com/OEBackup/Default.aspx
>> ===================================


--
Message posted via http://www.winserverkb.com