troxy

Hi! I've noticed that the gpedit.msc tool (Group Policy Editor console) doesn't show the actual registry value for a policy. For example, the policy "Always use classic logon" relates to the following registry key value: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType 0 = Classic logon (Policy is "Enabled") 1 = Welcome Screen (Policy is "Disabled") If I use gpedit.msc to enable the policy, and then use regedit.exe to disable it (manually changing the value for LogonType), the GUI in gpedit.msc still says "Enabled". I've now realised that gpedit.msc keeps the status for every policy in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ So when you use gpedit.msc to change a policy, it saves the status in the "Group Policy" reg key, and then writes changes to the "Registry.pol" file in the policy folder "%SystemRoot%\System32\GroupPolicy\" (User or Machine) At logon time, Windows reads "Registry.pol" and updates the registry accordingly. This is no news to most people here I suppose. But since I found no good info on the web about the relation between gpedit.msc and the registry, I wanted to raise the topic here in order to clarify. Please confirm my following conclusions: gpedit.msc is not just a GUI for editing registry values for policies. gpedit.msc is rather a GUI to manage policy settings stored in "Registry.pol". gpedit.msc becomes irrelevant when you edit the registry settings manually (using scripts or regedit.exe). Using gpedit.msc when you are editing the registry settings manually makes no sense and will only confuse things. I hope I've made things a little clearer for some tweakers out there. /Emil

Hi, I want to restrict a Windows user account to only run one single program. Let's say I create a user called Bob. Bob is not a member of any group, not even Users. He is simply a Nobody! Still, I'm able to successfully run Firefox as Bob, using the following command: runas /user:Bob "%PROGRAMFILES%\Mozilla Firefox\firefox.exe" How is that possible? What fundamental part the Windows security model am I missing? Please explain! Thanks.

Hi, I've been struggling with Group Policies in Windows XP. I'm trying to grant some extra rights to a Power User (ie. a member of the Power Users group). Some policy settings simply won't stick or are being overridden. For example: NC_LanChangeProperties, DisableWindowsUpdateAccess etc. Could anyone please confirm that you cannot, under any circumstances allow Power Users to perform the following tasks: Modify settings for Windows Firewall Modify settings for Windows Update/Automatic Updates Modify all settings for Network Connections Install or update device drivers Thanks!