none
Different between Administrator and User permissions

    Question

  • Good afternoon,

    I have a Windows Server 2008 R2 installed on a server. I want certain users to connect to them automatically launch an application, So far so good.
    The fact is that when you open the application at login, the desktop is not shown, but if you press the hotkey to Task Manager opens us well. Then run a new task, explorer.exe and Buala, already have access to the desktop and hard drive (though let us not delete anything). I want to not even have access to the hard drive, you can not do anything but to work with it.
    I have seen that from the security policies can block level access to specific users or all hard drives, and you can disable hotkeys Task Manager. This "think" that would access it difficult (if not impossible, you never know). The fact is that these policies affect all users, including administrators who have potential. My question is then: How differentiate between them permission restrictions some basic users and administrators? I can not find how to divide, or is all or none.

    Thanks in advance, Regards.

    Tuesday, March 05, 2013 5:34 PM

Answers

  • Hello Davidn74,
    is your Windows Server 2008 R2 a Domain Member ? If yes, then you have the flexibility of Domain's GPOs; otherwise if it's Workgroup Member you can use Local GPO only; but in this case the trick is to change %systemroot%\System32\GroupPolicy folder Security Permissions so Administrators won't be affected by Local GPO:

    1. Create new local Administrator to use to manage GPO (e.g. GPOAdmin)
    2. Deny access to %systemroot%\System32\GroupPolicy or %systemroot%\System32\GroupPolicy\Machine or %systemroot%\System32\GroupPolicy\User folder for Administrators (except GPOAdmin) = so they won't be affected by Local GPO
    3. Use new local Administrator created before to manage Local GPO by MMC

    Give it a try...

    Bye,
    Luca


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    • Edited by Luca Fabbri Wednesday, March 06, 2013 10:32 AM
    • Marked as answer by Davidn74 Thursday, March 07, 2013 12:00 PM
    Tuesday, March 05, 2013 10:36 PM

All replies

  • Hello Davidn74,
    is your Windows Server 2008 R2 a Domain Member ? If yes, then you have the flexibility of Domain's GPOs; otherwise if it's Workgroup Member you can use Local GPO only; but in this case the trick is to change %systemroot%\System32\GroupPolicy folder Security Permissions so Administrators won't be affected by Local GPO:

    1. Create new local Administrator to use to manage GPO (e.g. GPOAdmin)
    2. Deny access to %systemroot%\System32\GroupPolicy or %systemroot%\System32\GroupPolicy\Machine or %systemroot%\System32\GroupPolicy\User folder for Administrators (except GPOAdmin) = so they won't be affected by Local GPO
    3. Use new local Administrator created before to manage Local GPO by MMC

    Give it a try...

    Bye,
    Luca


    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    • Edited by Luca Fabbri Wednesday, March 06, 2013 10:32 AM
    • Marked as answer by Davidn74 Thursday, March 07, 2013 12:00 PM
    Tuesday, March 05, 2013 10:36 PM
  • Perfect! Something like that was what I needed. Luca thank you very much;)

    Greetings!
    Thursday, March 07, 2013 12:01 PM