Setting Group Policy on a local Computer
The majority of this information can also be found here, but I include pictures to make it easier to understand.
http://technet.microsoft.com/en-us/library/cc766291(v=ws.10).aspx
This post is for farzinkanzi, and was originally posted here:
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8e04136b-2260-4bc2-88b1-f4e47d3bc040/#dc0fc516-e1d9-44f6-9251-875839e7c956
This describes one setting and how to make that setting apply to everyone on the computer except one user.
In this case: “Removable disks: Deny read access” needs to apply to everyone except farzinkanzi.
And while I am at it I’ll also answer his question posted here: (since they are almost the same)
http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/46a476be-282b-45d1-be15-03a1b8352c4e/#46a476be-282b-45d1-be15-03a1b8352c4e
Ok on a Windows 7 Professional computer I have 3 Accounts:
ABC – Administrator
ADM – Administrator
XYZ – User
We want to set a policy to prevent everyone from reading USB drives.
So start an MMC by typing MMC at the run.
Once the MMC starts click: File -> Add/Remove Snap-in…
Select “Group Policy Object Editor” and click add
On the welcome screen leave “Local Computer” click finish
Back on the “Add or Remove Snap-ins” screen select “Group Policy Object Editor” and click add, yes again
This time on the welcome screen click ‘Browse…”
On the “Browse for group Policy Object” Screen, make sure ABC is highlighted then click OK.
Then click finish on the welcome screen
Click ok on the “Add or Remove Snap-ins” screen
You now have two Policies listed in the MMC
Local Computer Policy – Which applies to everyone who uses the computer
Local Computer\ABC Policy – Which only applies to ABC
First we will set the policy for all users of the computer.
Navigate to “User Configuration\Administrative Templates\System\Removable Storage Access” Make sure you use USER and not Computer.
Here you will find the setting for “Removable disks: Deny read access” set this to enabled.
Next we do not want this to apply to ABC so we need to navigate to “User Configuration\Administrative Templates\System\Removable Storage Access” under the Local Computer\ABC Policy, and set this to Disabled
Local policies are written in this order: Local Computer, Group, User
The last written setting wins
This means that for users ADM and XYZ that they would be denied read access to Removable Drives
And user ABC would have access to read to Removable Drives, because the deny would be disabled.
This is also how you would set a policy to only one user.
The version of Windows required is Professional or better, this will not work with any version of Home or Starter. You can still make these types of changes on Home and Starter but its much harder as you would have to edit the registry directly.
****************UPDATE***************
I got an e-mail yesterday from a Microsoft employee, thanks Tim. The e-mail was about KB2532445-v2, having to do with Office macros and AppLocker. Not really sure how this applies to what I reported here, but the hotfix he gave me worked.
After Applying the hotfix the rules no longer gave the error and office worked as expected.
Again thank you Tim.
Write a comment
You need to login to post comments!