Restrictions Using MMC

[Guest]

I am using a Group Policy snap-in to restrict a 2K computer to only run
iexplore.exe. But, how can I go into mmc and make changes to the policy once
I set it to only run iexplore.exe. When I do, I cant run mmc.exe to get into
it to chage things. I tried adding mmc.exe to the allowed programs list,
,but that doesnt work.

TIA,

Scott

 

[Darren Mar-Elia]

If you are making this change on the local GPO then you can edit a local GPO
remotely. Just start MMC, load the Group Policy Editor snap-in and focus it
on the remote computer. That way you're not stuck in this chicken-and-egg
scenario.

 

[Guest]

Kinda new to this...

What would be the best way to do this?

 

[Guest]

I am kinda new at this GPO thing. How would I do that?

 

[Darren Mar-Elia]

Ok. So I'm assuming that when you set this policy in the first place, you
did it by running gpedit.msc or some kind of "Local" policy editor? Correct?
If so, then what you did is modify the local GPO that every Windows device
has. If you modified the GPO from AD Users and Computers or from the GPMC,
then you are using a domain-based GPO--which is different than a local one.

If we assume you modified the local GPO, then you can get to that same local
GPO from another machine on the network, as long as you have rights to that
machine where you made the change, by using the method I described below.
Run mmc.exe from a command prompt. Choose Add/Remove Snap-ins from the menu
and then choose the Group Policy Editor snap in. After choosing that snap
in, you're prompted to choose which computer you want to focus on--the local
computer or a remote one. Browse to the machine where you set the policy you
want to change and then load the snap-in. Once its loaded, you can go into
the policy you set and change the shell setting back to whatever you want.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related

 

[Guest]

If I set the policy to only allow iexplore.exe and cant connect to the
computer any other way, how do I reset it to allow other programs or can I?

 

[Darren Mar-Elia]

Did you try connecting as I showed below? If so, does it work? If not, what
policy did you set, exactly? Did you change the default shell to iexplore or
set the policy that only allows certain programs to run?

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related

 

[Guest]

I set the User Configuration/Administrative Templates/System/Run only allowed
Windows applications and entered iexplore.exe as the only program allowed. I
did try conecting, but it wouldnt.

 

[Darren Mar-Elia]

What was the message? Restricting iexplore as the only app will not impact
the system's ability to respond to remote requests. However, if you have
Windows Firewall running on that remote system, that could.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related

 

[Guest]

"Failed to open the Group Policy object. You may not have appropriate rights."