Is it only possible to create Organizational Units on a domain controller? I want to set certain restrictions via group policy, but I only want it to effect members of a certain group. This is very easy for me to do on a domain controller, but it seems that on a windows 2000 professional standalone computer, the new group policy restrictions are applied to every users, including the administrator. Is there any way to avoid this situation on a win2k pro machine, and still apply the restrictions to lower level users and groups? Thanks!

Going from memory here...
But when you create new users within 2K, arent they automatically all members of the 'users' group, which have similar functionality to the administrator group.

Thus, if your wanting to set all the users, within a specified group, just make sure that they're not also members of the 'users' group, as this would then over-ride other policy's.

sorry if this dosent help... but im using a XP box.

something you may appreciate dilbert...
XP seems to have an aversion to organised religion.
In that... i originally setup my PC with the user 'God'.
After about 2 months decided to start implemeting user access and accounts for friends who use my Box.
Anyway, after creating another account, and loging in as it...
I can longer use my God account. The account exists, and is perfectly fine, it just never gets listed in the available accounts.
Then if you try to log in as 'God'.. it says the user dosent exist.
If you try to create it.. it already exists (obvioiusly).
Now for the clincher... you just simply change the name from 'God' to anything else... and the account can be used again.
Final test.. change the username 'God' to 'dog' and log in. This worked fine... then while logged in as 'Dog' i changed the username back to 'God'. At the next restart or relogin, the 'God' account dissapears again, to be unavailable.

Originally posted by danee
Going from memory here...
But when you create new users within 2K, arent they automatically all members of the 'users' group, which have similar functionality to the administrator group.

Thus, if your wanting to set all the users, within a specified group, just make sure that they're not also members of the 'users' group, as this would then over-ride other policy's.

sorry if this dosent help... but im using a XP box.


Well, the problem is, that it applies the policy to all of the groups. For example, if I set a policy removing the Control Panel from the start menu, it applies the policy to everyone. Even members of the administrators group will no longer have control panel in the start menu. I can't believe Microsoft would do something like this. Its so easy on a domain controller, why would they leave it off a stand alone machine. :(

Why don't you create a new group for those users you wish to restrict?
You could even call that group "Restricted"! :D

Originally posted by dilbert79


Well, the problem is, that it applies the policy to all of the groups. For example, if I set a policy removing the Control Panel from the start menu, it applies the policy to everyone. Even members of the administrators group will no longer have control panel in the start menu. I can't believe Microsoft would do something like this. Its so easy on a domain controller, why would they leave it off a stand alone machine. :(

Ive tried that as well. However, I still cant apply a group policy to that group only. This is something Microsoft should be ashamed of.

Does anyone know of a way to make the administrator exempt from group policy as an alternative? Im baffled as to why microsoft would not have this functionality built in. The administrator is supposed to have full access and control, yet the administrator is bound by any restrictions set in group policy. This is insane!

....Must be more of the Microsoft logic. Ive searched the entire group policy MMC snap in to find a way to avoid this problem, and there is none. I've read the help files, looked in the knowledge base, and asked around on the internet. It appears as tho there is nothing that can be done about it. In effect, an administrator could use group policy to lock down the entire system, and end up with a restriction policy that prevents him from having enough access to administer the system. Insane!

in the GP properties - security tab uncheck "apply group policy" or check deny.

Originally posted by Midknyte
in the GP properties - security tab uncheck "apply group policy" or check deny.

Thanks!