No announcement yet.

Permissions on %systemroot%\system32\GroupPolicy

  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions on %systemroot%\system32\GroupPolicy

    I am creating local group policy for a kiosk style pc that is completely locked down. I have based this off of the setting in the Group Policy Common Scenarios document.

    My problem is that I do not want these restriction to apply to administrator so I want to deny administrator access to the group policy folder.

    So this is what I am currently doing, copying over a groupPolicy folder that I have already set up. Then using xcacls to deny administrator access. This doesn't seem to work though.

    Is there a better way to do this?

  • #2
    Re: Permissions on %systemroot%\system32\GroupPolicy

    If I understand your problem, you want to apply new Group policy only for some users, not for all !

    Is that right ?

    Then it's very simple. Open properties of that created GPO, and open Security tab.

    Make sure, that users which would you like to use this policy have permission for read, and use policy. It is better to create a user's group for that people and you set them permission for entire group, not for each user. - it is not systematic !
    Then click on administrator and uncheck use policy

    One more hint for you:

    Leave only enabled per computer or per user GPO, not used policy turn off.


    • #3
      Re: Permissions on %systemroot%\system32\GroupPolicy

      Actually they way I solved this problem was as follows:

      REM Echo Setup CScript as the default scripting engine
      cscript //H:CScript

      Echo Create Account for Public User
      net user public pass /ADD /COMMENT:"Public Kiosk Account" /EXPIRES:NEVER /PASSWORDCHG:NO

      Echo Create GPeditor Account
      net user gpeditor pass /ADD /COMMENT:"Local Policy Editor" /EXPIRES:NEVER /PASSWORDCHG:NO
      net localgroup Administrators gpeditor /add

      Echo Copy the Group Police folder over
      xcopy %systemdrive%\Install\GroupPolicy\*.* %systemroot%\system32\GroupPolicy\*.* /E /C /Q /H /R /Y

      Echo Hide the folder
      attrib +H %systemroot%\system32\GroupPolicy /S /D

      Echo Setup Correct ACEs
      XCACLS.vbs %systemroot%\system32\GroupPolicy /I REMOVE
      XCACLS.vbs %systemroot%\system32\GroupPolicy /E /G "NT AUTHORITY\Authenticated Users":X
      XCACLS.vbs %systemroot%\system32\GroupPolicy /E /G "NT AUTHORITY\System":F
      XCACLS.vbs %systemroot%\system32\GroupPolicy /E /G Administrators:F
      REM XCACLS.vbs %systemroot%\system32\GroupPolicy /E /G gpeditor:F
      XCACLS.vbs %systemroot%\system32\GroupPolicy /E /D Administrator:F

      The gpeditor account is used so i can do a runas while logged on as administrator to edit the GP settings.