Group Policy

jludt

I am not on a domain so I need to know how to set the local group policy for a machine so that the Screen Saver tab is hidden from the Power Users group but not the Administrators. Being new with Group Policy Objects I haven't figured out how to accomplish this so is it possible and how would I go about doing this if it is?

nonstop301

Have you tried opening gpedit.msc then selecting User Configuration and from there expanding Administrative Templates then Control Panel and finally Display ?

You'll find the setting to hide the Screen Saver Tab there and if you enable it will be hidden to everyone but the Administrators

jludt

nonstop301 wrote:

Have you tried opening gpedit.msc then selecting User Configuration and from there expanding Administrative Templates then Control Panel and finally Display ?

You'll find the setting to hide the Screen Saver Tab there and if you enable it will be hidden to everyone but the Administrators

Yea that is exactly what I did. However, it hid the tab from the Administrator account as well.

nonstop301

There are two alternatives for you in that case.

Firstly, you can create an organisational unit for the administrators and one for the power users and then block inheritance of the administrator's organisational unit policy.

Otherwise, you can create a new group that contains all the users you don't want to have access to the screensaver tab and then use the Security Filtering options for that group policy object to disable the screensaver tab.

Both these methods are done by using the Group Policy Management Console. The organisational units are created using the Active Directory Users and Computers MMC tool.

jludt

nonstop301 wrote:

There are two alternatives for you in that case.

Firstly, you can create an organisational unit for the administrators and one for the power users and then block inheritance of the administrator's organisational unit policy.

Otherwise, you can create a new group that contains all the users you don't want to have access to the screensaver tab and then use the Security Filtering options for that group policy object to disable the screensaver tab.

Both these methods are done by using the Group Policy Management Console. The organisational units are created using the Active Directory Users and Computers MMC tool.

nonstop, thanks for the insight m8. I will look into both methods and see what I can come up with. Merry x-mas

jludt

Ok, I have the Group Policy Management Console but when I start the program it tells me I need to logged in as the Administrator of a domain. As I mentioned before our machines are not on a domain. Is there something I am missing with the Group Policy Management that allows you to still do this without being on a domain?

nonstop301

Hi again jludt,

The methods I mentioned are the standard way of regulating policies and applying restrictions outside the administrator user group. Unfortunately, contrary to what I originally expected, they can only be used with a computer that is part of a domain.

However there is a workaround to do this with computers that aren't on a domain.

Firstly, you must open gpedit.msc and make the changes to the policies you want to deny access for the Power Users.

Next, you must check the Folder Options of Windows Explorer and ensure that the Use simple file sharing (Recommended) option is NOT ticked.

Once you've done that, then you can go to the GroupPolicy folder which is located in \Windows\system32. You must right-click on the GroupPolicy folder and choose Properties.

From the subsequent GroupPolicy Properties window that will open for you, go to the Security tab. Make sure the Power Users group is listed in the Groups and user names section and add it if it isn't. Now you must Select Administrators (I stress Administrators and not Administrator) in the top section where the Groups and user names are listed. Then from the lower section where the Permissions for Administrators are listed, tick the Deny box of the Read permission. You will notice that the Allow box with be grayed out with a tick in it but that doesn't matter.

Finally, you can press apply and you'll see a warning telling you that you are setting a deny permissions entry and it will go on to explain to you that Deny entries take precedence over Allow entries and this means that if a user is a member of two groups, one that is allowed permission and one that is denied the same permission, the user will be denied that permission. The warning will end by asking you if you want to continue and you should click Yes

This will now prevent the implementation of the screensaver tab restriction to the Administrators and thus it will only be applied to all other users.

For the new settings to take place you'll have to log out and then relog into the Administrator account to see the effect.

I tried this on a computer that isn't on a domain and it did offer the desired outcome so I hope it will work for you as well.

One last thing I must point out to you is that ticking the Deny box for the GroupPolicy Read permission of the Administrators, will not allow you to start gpedit.msc, so if you want to make additional policy setting changes in the future, you must FIRST untick the Deny box and then relog into the Administrator account, start gpedit.msc to make further group policy adjustments, then tick the Deny box again and relog so that changes are implemented and the Administrators are immune to the restrictions.

jludt

Nonstop,

Thanks again for your help. I will give this a try at work when I get back and let you know how it fairs. Happy New Year m8


:celebrate

nonstop301

Happy New Year to you too jludt

Do let me know if you were successful or if you have any other queries about this.

jludt

nonstop301 wrote:

Happy New Year to you too jludt

Do let me know if you were successful or if you have any other queries about this.

Yep, desired results indeed. I appreciate your help very much