Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to create a group policy to deny access to services.msc and ms

2,191 views
Skip to first unread message

Dennis

unread,
May 11, 2007, 12:19:00 AM5/11/07
to
I have a user who likes to stop specific services that I do not want stopped.
Can someone tell me how to create a group policy to deny access to
services.msc and msconfig on the local XP computer to all users except domain
admin?

Windows Server 2003 SP2 - Windows XP Pro SP2
--
Dennis

Myweb

unread,
May 11, 2007, 2:55:02 AM5/11/07
to
Hello Dennis,

Go to computer configuration>Windows settings>security settings>File system.
On the right pane rightclick and take Add File. Browse to the default location
from the file you like to restrict on one workstation and set the security
settings like you want. Test it on one machine and then deploy the policy
to the OU where the workstations of the users are.

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

Bruce Sanderson

unread,
May 13, 2007, 7:15:00 PM5/13/07
to
Ensure that the user's account is not a member, directly or indirectly, of
any group that is a member of the workstation's local Administrators or
Power Users group.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

"Dennis" <Den...@discussions.microsoft.com> wrote in message
news:4BEAAEF4-4AE4-4D93...@microsoft.com...

Roger Abell [MVP]

unread,
May 14, 2007, 3:54:31 AM5/14/07
to
"Dennis" <Den...@discussions.microsoft.com> wrote in message
news:4BEAAEF4-4AE4-4D93...@microsoft.com...
>I have a user who likes to stop specific services that I do not want
>stopped.
> Can someone tell me how to create a group policy to deny access to
> services.msc and msconfig on the local XP computer to all users except
> domain
> admin?
>

Your user(s?) appear(s) overpowered.
Addressing that would be the infrastructurally correct approach.

Assuming excess privs is required, whyever, then look in the User
branch in GP in admin templates, where in Windows Components
you will find Microsoft Management Console, which has an agile
restricted/permitted snap-ins capability (you can even frustrate a
Domain Administrators member with it).

You might want to also alter permissions on services as the User
could adjust services without use of any mmc like services.msc.
That is touchy, especially if there are administrative duties of the
(not) overpowered user(s), repetitive (automate with sc), difficult
to maintain in face of future new services, but doable.

Roger

Roger


0 new messages