Sign in with
Sign up | Sign in
Your question

Group policy problem - Really strange problem with profiles

Last response: in Windows XP
Share
Anonymous
August 22, 2005 7:20:03 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Please Help me someone....!!!

I have made 2 test accounts that is only allowed to start 3 programs from
the desktop and also start "Volume Control" direct on the "Start Menu",
that's it! They can't right click or do anything else, but log off and
shutdown. I've also made this profile mandatory, because there will be many
users that will use this profile but have their own account, for security
traceabillity. (I don't think it's possible to do that with Roaming profiles
with "Don't let changes to central profile be copied to server" and "Remove
cached copies of central profile", because you can't let serveral accounts
use one roaming profile with these settings!?!! (or am I wrong...?!?)

The problem: It works fine for both test users... they login and are able to
use the 3 applictions on the desktop and if they delete them they come bacak
when they logon again. Also the profile is removed from local computer when
the user log off and no changes is saved to the server profile. That's
fine... now the strange part....

PROBLEM 1:If I choose to use the "Classic Start-meny" by group policy, then
one user can see"Logoff", "Shutdown" AND on the "Start Menu" -->
Program(folder)-Autostart and the other can see exactly the same but also
Outlook Express in Programs. My problem is that I want to hide/remove the
Start Menu - PROGRAM(folder), for these group of users.

Remember that both user have exactly the same permissions and is member of
the same groups and also use the same mandatory profile.

PROBLEM 2: If choose the Windows XP (Default) Start Menu in the group
policy..... then the Programs folder is NOT visible(that's nice), but now
they can see "Printers and Faxes" and another program, HP-Supporttools! This
is exactly the same for BOTH users.

Can someone expert tell me what's going on!!? If I check the mandatory
profile there is no HP-support tools or Outlook Express in that profile.
I've also checked the proflile when the user is logged on... and there is
nothing in that profile.

My personal guess is that the "All user" (or Default Profile) is
"inheriting" down those settings to the userprofile. I've checked those
profiles, but HP-supporttools isn't present. Only All users - Program - HP
Managment Agents , but no HP-Supporttools in this folder.

I've liked the Policy to the Workstations OU where the computer is located
and also linked the policy to the users folder. Then it is filterd only to
the computer they use and the testgroup they are a member of. Is it better
to create to policies one - for computer settings and one for user settings,
instead for my approach to use both User and Compter policy settings in only
one GPO?!


Can anyone solve this problem OR is it possible to HIDE Program on the Start
Menu, by policy or script. Does anyone got an script that will hide/remove
the Programs folder; maybe I could put it in the logon script in the GPO?!


Regards,

Jobnow
Anonymous
August 22, 2005 12:19:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Please visit the experts in the Group Policy newsgroup
news://msnews.microsoft.com/microsoft.public.windows.group_policy

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

-------------------------------------------------------------------------------------------

"jobnow" wrote:

| Please Help me someone....!!!
|
| I have made 2 test accounts that is only allowed to start 3 programs from
| the desktop and also start "Volume Control" direct on the "Start Menu",
| that's it! They can't right click or do anything else, but log off and
| shutdown. I've also made this profile mandatory, because there will be many
| users that will use this profile but have their own account, for security
| traceabillity. (I don't think it's possible to do that with Roaming profiles
| with "Don't let changes to central profile be copied to server" and "Remove
| cached copies of central profile", because you can't let serveral accounts
| use one roaming profile with these settings!?!! (or am I wrong...?!?)
|
| The problem: It works fine for both test users... they login and are able to
| use the 3 applictions on the desktop and if they delete them they come bacak
| when they logon again. Also the profile is removed from local computer when
| the user log off and no changes is saved to the server profile. That's
| fine... now the strange part....
|
| PROBLEM 1:If I choose to use the "Classic Start-meny" by group policy, then
| one user can see"Logoff", "Shutdown" AND on the "Start Menu" -->
| Program(folder)-Autostart and the other can see exactly the same but also
| Outlook Express in Programs. My problem is that I want to hide/remove the
| Start Menu - PROGRAM(folder), for these group of users.
|
| Remember that both user have exactly the same permissions and is member of
| the same groups and also use the same mandatory profile.
|
| PROBLEM 2: If choose the Windows XP (Default) Start Menu in the group
| policy..... then the Programs folder is NOT visible(that's nice), but now
| they can see "Printers and Faxes" and another program, HP-Supporttools! This
| is exactly the same for BOTH users.
|
| Can someone expert tell me what's going on!!? If I check the mandatory
| profile there is no HP-support tools or Outlook Express in that profile.
| I've also checked the proflile when the user is logged on... and there is
| nothing in that profile.
|
| My personal guess is that the "All user" (or Default Profile) is
| "inheriting" down those settings to the userprofile. I've checked those
| profiles, but HP-supporttools isn't present. Only All users - Program - HP
| Managment Agents , but no HP-Supporttools in this folder.
|
| I've liked the Policy to the Workstations OU where the computer is located
| and also linked the policy to the users folder. Then it is filterd only to
| the computer they use and the testgroup they are a member of. Is it better
| to create to policies one - for computer settings and one for user settings,
| instead for my approach to use both User and Compter policy settings in only
| one GPO?!
|
|
| Can anyone solve this problem OR is it possible to HIDE Program on the Start
| Menu, by policy or script. Does anyone got an script that will hide/remove
| the Programs folder; maybe I could put it in the logon script in the GPO?!
|
|
| Regards,
|
| Jobnow
!