Group policy problem (XP alone and XP with NT server)

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Let me explain my predicament:

I am currently running NT 4 server with 14 NT machines in a small lab at the
detention center. Because of the nature of the setting we have a lot of
restrictions placed on the NT computers via POLEDIT so that they cannot do
too much damage to our system (not drives visible,no internet access, no
RUN, SEARCH command etc.

Now we go some XP computers and I'm trying to connect them to the NT server
using the same restrictions, but am at loss as far as XP Group policy works.
I am experimenting with one of my computers without connecting it to the
network using mmc /a and Group Policy snap-in. But here is my question:

Can I just hook up XP computers to the network and have them read the
existing policy on the NT4 server, and is there a command for the XP to
communicate with the server and apply existing NT policies. I have a file
there on the server called Test.pol that my NT boxes access by running
poledit on them and making them read it from \\inmate_fs\test.pol.

Is there a way to do the same in XP?

My second question is similar, but a bit different. In the library I would
like to set up an inmate stand alone XP computer so that there will be
similar restrictions in place. Right now I have a NT computer here and again
use poledit to restrict various settings. I tried mmc /a but whenever I
create a console with various restrictions it affects the group Inmates but
it also affects the administrators. I've read somewhere that there is a
crude workaround where one can set up the system that there will be those
that are affected by group policy and those that would not be. Any help
here???


Thanks again

Tad Menert
3 answers Last reply
More about group policy problem server
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "Tad Menert" <menertta@webaccess.net> wrote in message
    news:4a06e$42960041$4e415e1$10388@ALLTEL.NET...
    > Let me explain my predicament:
    >
    > I am currently running NT 4 server with 14 NT machines in a
    > small lab at the detention center. Because of the nature of the
    > setting we have a lot of restrictions placed on the NT
    > computers via POLEDIT so that they cannot do too much damage to
    > our system (not drives visible,no internet access, no RUN,
    > SEARCH command etc.
    >
    > Now we go some XP computers and I'm trying to connect them to
    > the NT server using the same restrictions, but am at loss as
    > far as XP Group policy works. I am experimenting with one of my
    > computers without connecting it to the network using mmc /a and
    > Group Policy snap-in. But here is my question:
    >
    > Can I just hook up XP computers to the network and have them
    > read the existing policy on the NT4 server, and is there a
    > command for the XP to communicate with the server and apply
    > existing NT policies. I have a file there on the server called
    > Test.pol that my NT boxes access by running poledit on them and
    > making them read it from \\inmate_fs\test.pol.
    >
    > Is there a way to do the same in XP?
    >
    > My second question is similar, but a bit different. In the
    > library I would like to set up an inmate stand alone XP
    > computer so that there will be similar restrictions in place.
    > Right now I have a NT computer here and again use poledit to
    > restrict various settings. I tried mmc /a but whenever I create
    > a console with various restrictions it affects the group
    > Inmates but it also affects the administrators. I've read
    > somewhere that there is a crude workaround where one can set up
    > the system that there will be those that are affected by group
    > policy and those that would not be. Any help here???
    >
    >
    > Thanks again
    >
    > Tad Menert

    I can't help you with your first question. If you haven't done so
    already you might want to post it to one of the server
    newsgroups. Microsoft.public.windows.group_policy might be an
    even better option.

    As for your second question, you've got two options:

    Here's Microsoft's procedure:

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B293655

    Here's a method that uses NTFS permissions:

    http://www.theeldergeek.com/gp07.htm

    The second one is very simple to implement. You set up your group
    policy and then set the permissions on the
    C:\Windows\System32\GroupPolicy folder to deny read permissions
    for the Administrators group.

    Good luck

    Nepatsfan
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for your help. I'm getting somewhere, but sometimes it's a vicious
    circle, as when I try to remove my computer and deny the administrator read
    permissions I might force myself into a blind corner :)

    It was a great help, though

    Tad


    two options:
    >
    > Here's Microsoft's procedure:
    >
    > http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B293655
    >
    > Here's a method that uses NTFS permissions:
    >
    > http://www.theeldergeek.com/gp07.htm
    >
    > The second one is very simple to implement. You set up your group policy
    > and then set the permissions on the C:\Windows\System32\GroupPolicy folder
    > to deny read permissions for the Administrators group.
    >
    > Good luck
    >
    > Nepatsfan
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    I see you've discovered the fact that some of the policies go
    into effect immediately. It's a PITA but there is a way around
    most of them. That said, be careful. It's not that difficult to
    put policies in place that prevent you from going back and
    disabling them.

    If I understand correctly you're trying to enable the following
    policies in the User Configuration\Windows Components\Windows
    Explorer section:

    Hide these specified Drives in My Computer
    Prevent Access to Drives from My Computer

    As you've found out, as soon as you enable these two policies,
    you won't have access to the C:\Windows\System32\GroupPolicy
    folder. Here's a workaround that you might want to try:

    While logged on to the computer with your account (or one that is
    a member of the Administrators group) create two new shortcuts on
    your desktop. One should point to C:\Windows\System32\gpedit.msc
    and the other should point to C:\Windows\System32.
    What you've got is a shortcut that will launch the Local Group
    Policy editor and one that will open the folder one level above
    the GroupPolicy folder whose access permissions you need to
    change.

    Double click the System32 shortcut.
    Right click on the GroupPolicy folder and select Properties.
    You can close the System32 folder but leave the Properties page
    displayed.
    Double click your Local Group Policy editor shortcut.
    Make your changes and close the editor.
    Go back to the GroupPolicy folder's Properties page.
    Click on the Security tab.
    Click on the Add button.
    In "Select Users and Groups" click Advanced.
    Click Find Now.
    Click on Administrators to highlight that group.
    Click OK twice.
    Back on the GroupPolicy folder's Properties page remove all the
    check marks in the Allow column for the Administrators group. Put
    a check mark in the box next to Deny Read.
    Click OK.
    Log off with your account and log back on to make sure the
    policies haven't been applied.
    Log on with a limited account to see if the policies have been
    applied.

    Keep in mind that in order to regain access to the group policy
    editor you will have to go back and remove the Deny Read
    permission for the Administrator account. All you've got to do is
    double click your System32 shortcut and remove the Administrators
    group from the GroupPolicy folders Security page. You should now
    be able to launch the Group Policy editor to adjust your policy
    settings. Remember to reset your Deny Read permission if you've
    left any policies in place.

    Post back if you have any questions on this procedure.

    Nepatsfan

    "Tad Menert" <menertta@webaccess.net> wrote in message
    news:e2cc3$4297424f$4e41869$18351@ALLTEL.NET...
    > Thanks for your help. I'm getting somewhere, but sometimes it's
    > a vicious circle, as when I try to remove my computer and deny
    > the administrator read permissions I might force myself into a
    > blind corner :)
    >
    > It was a great help, though
    >
    > Tad
    >
    >
    > two options:
    >>
    >> Here's Microsoft's procedure:
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B293655
    >>
    >> Here's a method that uses NTFS permissions:
    >>
    >> http://www.theeldergeek.com/gp07.htm
    >>
    >> The second one is very simple to implement. You set up your
    >> group policy and then set the permissions on the
    >> C:\Windows\System32\GroupPolicy folder to deny read
    >> permissions for the Administrators group.
    >>
    >> Good luck
    >>
    >> Nepatsfan
    >>
    >
    >
Ask a new question

Read More

Policy Windows XP Servers