Hello,

I'm real new to WIN 2000 so please keep that in mind. But, I am trying to secure a public W2K Professional machine. I set up a user account and a local Group Object. This is a stand alone PC. I use the MMC console to lock down certain Start Menu and desktop features. Everything seems to work real well. But, when I log back on as the Administrator account I get the same restrictions. As the Administrator I think it would be helpful to get to the Control Panel (joke).

How can I set it up so the Administrator always has NO restrictions, but the regular user has the MMC restrictions.

Any help would be great. Thanks

Badge

Badge,

I don't have a solution to your problem but I can say that I have the same problem you do. Please let me know if you have found a solution to your problem (i don't see any replies here but maybe u found some elsewhere).

thanx

I have had no luck at the local level. I read the WIN2K Resource Kit, it said that you can do it, I did what it says, and it still doesnt work. I did see it work using Active Directory, but that doesnt help me in a kiosk situation. I dont want to run Active Directory for one stand alone PC. You may have better luck with the Resource Kit then I did. I sat in a 3 day WIN2K training and the Certified Instructor couldnt figure it out, so go figure. Good Luck. If I find anything I'll post it.

Badge

Using regedit, you will see that under HKey_Users there is a .DEFAULT Key and also several other Keys underneath with _Classes on the end also. Each of those keys underneath corresponds to a username, they are unique & the long key numbers change if users are added or deleted, since Win2000 uses access lists & active directory & Kerberos for tracking users. When a username is created it will have a key created here under HKey_users if it falls outside the .Default key permissions. What you must do is simply copy a key similar to this HKEY_USERS\S-1-5-21-1644491937-1078145449-1343024091-500\Software\Microsoft\Windows\CurrentVersion\Poli cies and copy it to same HKEY_USERS\.DEFAULT\whatever.... Then go back to the original key and change the DWord values from 1 (on) to 0 (off), or delete all the subkeys under the Policies\Explorer or Policies\System that you defined earlier with MMC administrative templates. LogOff and back onto your default user (not admin) and voila! Email me if you have problems. I have throughly tested this and it works! Great for public workstations, libraries, etc.

<P ID="edit"><FONT class="small">Edited by thadguidry on 07/12/01 19:39.</FONT></P><P ID="edit"><FONT class="small">Edited by thadguidry on 07/12/01 19:41.</FONT></P>