GPO Restrictions on PC administrators

  • Thread starter Thread starter Ward Horsfall
  • Start date Start date
W

Ward Horsfall

Hi,

I am tyring to work out the following settings:

User Configuration - Administrative Templates - Network - Network
Connections

I want to protect users from modifying settings. I can see that you can
disable / enable these settings - which is OK. The problem is I want
to make people local administrators on their machines so they will be
able to install/re-install software etc if necessary - but I want to
stop them from playing with their network settings...

How can this be done.. It seems once the user become a Local Administrator
on the box then the group policy restrictions to do not apply.

The environment is Windows 2003 Server and XP SP2 workstations.

Thanks,

Ward
 
The policy you refer to is user configuration policy. Since I assume you are
talking about a domain based policy, it will not apply to local users on a
computer. It should still apply if the user is logged on as a domain user.
Domain users can have their accounts added to the local administrators group
on a domain computer and then domain user configuration policy will still
apply to them. The problem is that they may realize that they can create
local accounts to logon to avoid domain policy user restrictions. You can
also configure Local Group Policy via gpedit.msc and it can apply to ALL
local users also but a knowledgeable local administrator might know how to
dismantle local policy. It is next to impossible to restrict a local
administrator that is knowledgeable about the operating system, though that
does not mean you should not try - just beware that they still ultimately
have total control of that computer. -- Steve
 
But if you're not restricting them too much, they won't need to seek out a
way to defeat the system. Unless you have users that just don't like you
and having any sort of policy... then that's a different story ;-)


hehehehe
Ken
 
Sorry I should of clarified they are domain users. I suppose I don't mind if
they can add local users - as I can probably lock that down as well. As they
are not too knowledgable - as they only know how to change network
settings - which is the one giving grief. So if I could just lock that down
that would be great. I trust them with the other settings..

Ward
 
Back
Top