How can I use group policy to assign user rights to local users and groups? To protect workstations from attacks over the network, I want to assign the policy Deny access to this computer from the network to each workstation's local Administrator account. However, when I try to edit the policy in \ computer configuration \ windows settings \ security settings \ \local policies \ user rights, I see no way to specify the local Administrator account. Windows 2000 lets me select only from the domain users and groups in Active Directory (AD).
The users and groups list that you select from is determined by the computer you're logged on to. Your description suggests that you're editing group policy at the domain controller (DC). Because DCs have no local users and groups, Win2K displays only domain-level accounts, as Figure 3, page 6, shows. To accomplish your goal, you need to log on at a workstation or member server and edit the Group Policy Object (GPO). When you edit rights assignments on a non-DC computer, Win2K lets you select the domain or the computer's local user and group by clicking the Look in list that Figure 3 shows. Non-DC computers will contain an entry for the local computer. The same principle applies to Restricted Groups in GPOs. To browse the local groups on a non-DC computer, you must edit group policy from a workstation or member server.
