Locking Down Specific Profiles with Local Group Policy

I recently had to lock down a profile on a user account running on a Terminal Services server. You think by 2008 Microsoft would have released a tool that would do this with ease. I tried SteadyState, but it would bomb out during the installation. Microsoft actually does have an article that describes how to do this here. Make sure you take some Excedrin before reading it.

There are two branches of Group Policy: computer and user. The computer settings are embedded in
registry.pol at %SystemRoot%System32GroupPolicyMachineregistry.pol. The user settings are embedded in registry.pol at %SystemRoot%System32GroupPolicyUserregistry.pol. The computer settings are initalized when the OS boots, so you can not do any “switch-a-roo” with them, however, this will work with the user branch.

Not satifised with Microsoft’s solution, I did some Googling and found this article on Juice. The article is gear toward doing this across multiple computers over a network. The bottom line is that we can make the account we want to lock an administrator, login in and use gpedit.msc to lock things down in the user branch. When done, take the account out of the administrator’s group, go to %SystemRoot%System32GroupPolicy and grant the local Administrator’s group Deny rights to the whole folder. That way, anyone logging in will get the policy, except Adminstrators, because they don’t have rights to read the folder and thus the policies.

– Soli Deo Gloria