How to stop an Admin account getting Local GP settings
I am uploading this information as there seems to be a whole load of inaccurate/false information online. I have recently been asked to create XP embedded images for use as standalone kiosks. By standalone i mean not joined to a domain or even a workgroup, the type of device that gives public internet access amd nothing else.
The easiest way to achieve this is to include and use all of the local group policy components within XP embedded, create a user account and set the shell to IE, create a master admin account to configure all securities and grouup policies with the shell set to explorer and set the user account to autologin. The above is fine except for the fact that microsoft haven’t created an obvious easy way to exlude the admin account from any policies set on the system??!! If a policy is set that removes access to the C drive for example your screwed.
The only way to get this to work is to login to the admin account before any policies have been set and start regedit, browse to :
HKCU\SOFTWARE\microsoft\windows\currentversion\policies
right click the policies key and select permissions, remove “full control” from all listed groups leaving only read. This prevents the admin account from inheriting any local group policies that have been set by preventing the part on the registry that stores GP information from being written to.
Related posts
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
[...] but Jean Marc managed in the end. We have decided to write it down on my blog, so please see How to stop an Admin account getting Local GP settings | Simon Todd's Free Technical Blog! The post tells you which keys to change to stop local GP settings being forced on a local admin [...]