Sign in with
Sign up | Sign in
Your question

Group policy problem (XP alone and XP with NT server)

Last response: in Windows XP
Share
Anonymous
May 26, 2005 2:56:57 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Let me explain my predicament:

I am currently running NT 4 server with 14 NT machines in a small lab at the
detention center. Because of the nature of the setting we have a lot of
restrictions placed on the NT computers via POLEDIT so that they cannot do
too much damage to our system (not drives visible,no internet access, no
RUN, SEARCH command etc.

Now we go some XP computers and I'm trying to connect them to the NT server
using the same restrictions, but am at loss as far as XP Group policy works.
I am experimenting with one of my computers without connecting it to the
network using mmc /a and Group Policy snap-in. But here is my question:

Can I just hook up XP computers to the network and have them read the
existing policy on the NT4 server, and is there a command for the XP to
communicate with the server and apply existing NT policies. I have a file
there on the server called Test.pol that my NT boxes access by running
poledit on them and making them read it from \\inmate_fs\test.pol.

Is there a way to do the same in XP?

My second question is similar, but a bit different. In the library I would
like to set up an inmate stand alone XP computer so that there will be
similar restrictions in place. Right now I have a NT computer here and again
use poledit to restrict various settings. I tried mmc /a but whenever I
create a console with various restrictions it affects the group Inmates but
it also affects the administrators. I've read somewhere that there is a
crude workaround where one can set up the system that there will be those
that are affected by group policy and those that would not be. Any help
here???


Thanks again

Tad Menert
Anonymous
May 26, 2005 9:51:42 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Tad Menert" <menertta@webaccess.net> wrote in message
news:4a06e$42960041$4e415e1$10388@ALLTEL.NET...
> Let me explain my predicament:
>
> I am currently running NT 4 server with 14 NT machines in a
> small lab at the detention center. Because of the nature of the
> setting we have a lot of restrictions placed on the NT
> computers via POLEDIT so that they cannot do too much damage to
> our system (not drives visible,no internet access, no RUN,
> SEARCH command etc.
>
> Now we go some XP computers and I'm trying to connect them to
> the NT server using the same restrictions, but am at loss as
> far as XP Group policy works. I am experimenting with one of my
> computers without connecting it to the network using mmc /a and
> Group Policy snap-in. But here is my question:
>
> Can I just hook up XP computers to the network and have them
> read the existing policy on the NT4 server, and is there a
> command for the XP to communicate with the server and apply
> existing NT policies. I have a file there on the server called
> Test.pol that my NT boxes access by running poledit on them and
> making them read it from \\inmate_fs\test.pol.
>
> Is there a way to do the same in XP?
>
> My second question is similar, but a bit different. In the
> library I would like to set up an inmate stand alone XP
> computer so that there will be similar restrictions in place.
> Right now I have a NT computer here and again use poledit to
> restrict various settings. I tried mmc /a but whenever I create
> a console with various restrictions it affects the group
> Inmates but it also affects the administrators. I've read
> somewhere that there is a crude workaround where one can set up
> the system that there will be those that are affected by group
> policy and those that would not be. Any help here???
>
>
> Thanks again
>
> Tad Menert

I can't help you with your first question. If you haven't done so
already you might want to post it to one of the server
newsgroups. Microsoft.public.windows.group_policy might be an
even better option.

As for your second question, you've got two options:

Here's Microsoft's procedure:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-...

Here's a method that uses NTFS permissions:

http://www.theeldergeek.com/gp07.htm

The second one is very simple to implement. You set up your group
policy and then set the permissions on the
C:\Windows\System32\GroupPolicy folder to deny read permissions
for the Administrators group.

Good luck

Nepatsfan
Anonymous
May 27, 2005 1:52:41 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for your help. I'm getting somewhere, but sometimes it's a vicious
circle, as when I try to remove my computer and deny the administrator read
permissions I might force myself into a blind corner :) 

It was a great help, though

Tad


two options:
>
> Here's Microsoft's procedure:
>
> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>
> Here's a method that uses NTFS permissions:
>
> http://www.theeldergeek.com/gp07.htm
>
> The second one is very simple to implement. You set up your group policy
> and then set the permissions on the C:\Windows\System32\GroupPolicy folder
> to deny read permissions for the Administrators group.
>
> Good luck
>
> Nepatsfan
>
Anonymous
May 27, 2005 7:51:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I see you've discovered the fact that some of the policies go
into effect immediately. It's a PITA but there is a way around
most of them. That said, be careful. It's not that difficult to
put policies in place that prevent you from going back and
disabling them.

If I understand correctly you're trying to enable the following
policies in the User Configuration\Windows Components\Windows
Explorer section:

Hide these specified Drives in My Computer
Prevent Access to Drives from My Computer

As you've found out, as soon as you enable these two policies,
you won't have access to the C:\Windows\System32\GroupPolicy
folder. Here's a workaround that you might want to try:

While logged on to the computer with your account (or one that is
a member of the Administrators group) create two new shortcuts on
your desktop. One should point to C:\Windows\System32\gpedit.msc
and the other should point to C:\Windows\System32.
What you've got is a shortcut that will launch the Local Group
Policy editor and one that will open the folder one level above
the GroupPolicy folder whose access permissions you need to
change.

Double click the System32 shortcut.
Right click on the GroupPolicy folder and select Properties.
You can close the System32 folder but leave the Properties page
displayed.
Double click your Local Group Policy editor shortcut.
Make your changes and close the editor.
Go back to the GroupPolicy folder's Properties page.
Click on the Security tab.
Click on the Add button.
In "Select Users and Groups" click Advanced.
Click Find Now.
Click on Administrators to highlight that group.
Click OK twice.
Back on the GroupPolicy folder's Properties page remove all the
check marks in the Allow column for the Administrators group. Put
a check mark in the box next to Deny Read.
Click OK.
Log off with your account and log back on to make sure the
policies haven't been applied.
Log on with a limited account to see if the policies have been
applied.

Keep in mind that in order to regain access to the group policy
editor you will have to go back and remove the Deny Read
permission for the Administrator account. All you've got to do is
double click your System32 shortcut and remove the Administrators
group from the GroupPolicy folders Security page. You should now
be able to launch the Group Policy editor to adjust your policy
settings. Remember to reset your Deny Read permission if you've
left any policies in place.

Post back if you have any questions on this procedure.

Nepatsfan

"Tad Menert" <menertta@webaccess.net> wrote in message
news:e2cc3$4297424f$4e41869$18351@ALLTEL.NET...
> Thanks for your help. I'm getting somewhere, but sometimes it's
> a vicious circle, as when I try to remove my computer and deny
> the administrator read permissions I might force myself into a
> blind corner :) 
>
> It was a great help, though
>
> Tad
>
>
> two options:
>>
>> Here's Microsoft's procedure:
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-...
>>
>> Here's a method that uses NTFS permissions:
>>
>> http://www.theeldergeek.com/gp07.htm
>>
>> The second one is very simple to implement. You set up your
>> group policy and then set the permissions on the
>> C:\Windows\System32\GroupPolicy folder to deny read
>> permissions for the Administrators group.
>>
>> Good luck
>>
>> Nepatsfan
>>
>
>
!