Hi,
I am trying to GPO out access to the security settings tab on the C:, I
have users that are local admins on there workstations as it is
neccessary for one app we run.
Did your ever tried out "where" the missing permissions are?
Sysinternals filemon and regmon can filter the "access denied"
actions that occur by a user start of the program.
After that you can use Filestem und Registry inside the GPO
to adminstrate the local right on a client an give a usergroup
perhaps change or full permissions only on the section they need.
But I do not want them accessing that security tab, Does
anyone know where that GPO is? or how to go about it?
In XP there is a GPO, W2K doesnt have it.
XP: User\ADM Templates\Win-Components\Windows Explorer
"Remove "Security" Tab" (sounds like that ... sorry no engl. Version)
2000, set permissions on:
Filesystem: %systemroot%\system32\Rshx32.dll
Remove "Everyone" Read, add only your wanted group
Registry: CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C}
Remove "Everyone" Read, add only your wanted group
Easiest way to realize it: Take the GPO - Registry and Filesystem ...
If your are in this place of the GPO, you can figrue out, if the
Users really need local admin rights, because:
As a local Admin I can get back the permissions ... just use cacls,
xcacls.exe, xcacls.vbs, takeown, subinacl and a bunge of freeware
like setacl.exe to edit the security settings.
A Admin is a admin is a admin ...
Mark
