GPO local policy (computer policy)

[tractng]

Guys,

In the past, I have worked with GPO on the domain level using OU.

Anyways, in this network, I am relunctant to use any GPO at the OU
level and leaning towards to local GPO.

My question is when I disable the command line (run command) and any
access to run gpedit.msc, how do I get back to it when I need to make
changes?

I think the answer would be to run it remotely using mmc?

There is this windows 2000 in the network that when you logged in
locally (under the local admin), you will see the run command, but
anything else you won't see the run command. How do I achieve this?
The past admin hides it under "assesories".


The server I am trying to configure is windows 2003 for terminal usage.
So far, I have logged in locally to configured the gpedit.msc


Thanks in advance.
Tony

 

[Dave Britt]

Have you considered using Filtering.

Create a policy at the Domain Level that applies the setting that you are
looking for to the user community i.e leave in the scope "Authenticated
Users" and then create a second policy set at the Domain level but processes
after the first policy, higher in the list.

The second policy would be configured with a Scope of an Admistrative Group
(Filtered) and used to disable any policy setting that you wish the
administrators not to be restricted by. This approach applies all policy to
all users and then opens up utilities to the Administrators. The naming of
the policy often makes things simpler as well.

for Example

Users Standard Security - All user configuration enabled
Users Administrator Level Security - Policies from Standard disabled - e.g
mmc snapins, cmd access

Dave Britt
Blog: http://davebritt.blogspot.com/

lifts the policy for the administrative groups