Server 2003 with XP/2000 users

[chaostheory]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

This comapny has Server 2003 with Windows XP and 2000 OS’s logging
onto the domain. Now i am a Network Administrator intern at the
company so im new to a lot of this. They have decided per my request
(what have i got myself into) to create some group policies to limit
game playing and miscellaneous other things on company pcs.
Understandable. I have two problems. To test my knowledge i created
a dummy user called john doe, put him in security group called
testgroup and created a policy in GPMC called testpolicy. In the
policy i set solitaire and winmine disabled and turned off the run
command in start and a bunch of stupid little things jsut to see if it
would work. At first nothing happened. Today i was goofing around
again and somehow locked myself out of the run command on the server
box itself (lol) I deleted the extra policy i made and the dummy user
and the dummy group i made. But im still locked out. What did i
do!?! I click on run and it says this feature has been disabled due
to limitations on the computer or something along those lines. I
think when i first enabled the policy i left the default authenticated
users in the list of people the GPO affects. I assume now i even
though i deleted it i have to wait the default 90 minutes for th
policies to refresh on the server and let me back into run? Help me
if you can, i feel like a fool.

The other part is im not getting anywhere for some reason. All the
users in the company are in a folder called Users. Its not an OU its
just a folder. For me to make group policies, do i need to create an
OU for each section like engineering, drafting, etc and move the users
from the users folder into the OU or just make groups and apply them
at the group level to each group (being drafting, etc.) Ihad tried
this one with no luck. One thing i thought is that maybe the profiles
have to be stored on the server and not locally on each client pc for
the gpo to affect the pc. I dont think that is correct though.

Im really new and any help at all is greatly appreciated. Thanks :?:

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Server-2003-XP-2000-users-ftopict541280.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1704958

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"ChaosTheory" wrote:
> This comapny has Server 2003 with Windows XP and 2000 OS's
> logging onto the domain. Now i am a Network Administrator
> intern at the company so im new to a lot of this. They have
> decided per my request (what have i got myself into) to create
> some group policies to limit game playing and miscellaneous
> other things on company pcs. Understandable. I have two
> problems. To test my knowledge i created a dummy user called
> john doe, put him in security group called testgroup and
> created a policy in GPMC called testpolicy. In the policy i
> set solitaire and winmine disabled and turned off the run
> command in start and a bunch of stupid little things jsut to
> see if it would work. At first nothing happened. Today i was
> goofing around again and somehow locked myself out of the run
> command on the server box itself (lol) I deleted the extra
> policy i made and the dummy user and the dummy group i made.
> But im still locked out. What did i do!?! I click on run and
> it says this feature has been disabled due to limitations on
> the computer or something along those lines. I think when i
> first enabled the policy i left the default authenticated
> users in the list of people the GPO affects. I assume now i
> even though i deleted it i have to wait the default 90 minutes
> for th policies to refresh on the server and let me back into
> run? Help me if you can, i feel like a fool.
>
> The other part is im not getting anywhere for some reason.
> All the users in the company are in a folder called Users.
> Its not an OU its just a folder. For me to make group
> policies, do i need to create an OU for each section like
> engineering, drafting, etc and move the users from the users
> folder into the OU or just make groups and apply them at the
> group level to each group (being drafting, etc.) Ihad tried
> this one with no luck. One thing i thought is that maybe the
> profiles have to be stored on the server and not locally on
> each client pc for the gpo to affect the pc. I dont think
> that is correct though.
>
> Im really new and any help at all is greatly appreciated.
> Thanks :?:

Hi,

It sounds like you have a lot on your plate. It is a great idea to buy
a book on how Group Policy works as a resource.

1> Group Policy doesn’t apply to Groups. You can put users into any
Groups and put the Groups Anywhere in AD and it doesn’t make a
difference. Groups are used for setting "Security", nothing else.

2> Group Policies have to be on OU’s and the Users MUST be inside the
OU’s for the GP to take affect. I would start by first creating a
"DomainUsers" OU and moving all the User Accounts out of the Users
container and into that OU. (Not the default Groups, Users etc just
the ones created)
You can then create "sub" OU’s if you wish to further organize by
department. This is "invisible" to the users so it won’t affect
them until you start applying policies.

3> Policies apply regardless of Profile. If users use one machine all
the time then a Local Policy is fine. If users are roaming from
computer to computer then a Roaming Profile is recommended. I
personally use Manadatory Roaming profiles so users can’t change them.

4> Depending on your server HD, it may be a good idea to use the
"Folder Redirection" Group Policy and redirect your Users "My
Documents" from their Profile to the Server. This would provide
backup as most servers have some sort of RAID configuration. It also
provides one central location for Backup Tasks. Remember that local
drives fail all the time and the users could lose their stuff.

5> Don’t Mess with the Default Domain Policy OR the Default Domain
Controllers Policy. Leave those alone until you are more familiar with
Group Policy. Misplaced Settings in these two GP’s can affect the
entire Domain.

If you are an intern, do they have a regular Network Administrator you
can ask?

By the way, NTFS file permissions is the only way to really secure the
client machines. Users should not be Administrators of their local
machines because it won’t matter what Group Policies you apply, they
can usually get around them.

Cheers,

Lara

 

[chaostheory]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"lforbes" wrote:
> Hi,
>
> It sounds like you have a lot on your plate. It is a great
> idea to buy a book on how Group Policy works as a resource.
>
> 1> Group Policy doesn't apply to Groups. You can put users
> into any Groups and put the Groups Anywhere in AD and it
> doesn't make a difference. Groups are used for setting
> "Security", nothing else.
>
> 2> Group Policies have to be on OU's and the Users MUST be
> inside the OU's for the GP to take affect. I would start by
> first creating a "DomainUsers" OU and moving all the User
> Accounts out of the Users container and into that OU. (Not the
> default Groups, Users etc just the ones created)
> You can then create "sub" OU's if you wish to further organize
> by department. This is "invisible" to the users so it won't
> affect them until you start applying policies.
>
> 3> Policies apply regardless of Profile. If users use one
> machine all the time then a Local Policy is fine. If users are
> roaming from computer to computer then a Roaming Profile is
> recommended. I personally use Manadatory Roaming profiles so
> users can't change them.
>
> 4> Depending on your server HD, it may be a good idea to use
> the "Folder Redirection" Group Policy and redirect your Users
> "My Documents" from their Profile to the Server. This would
> provide backup as most servers have some sort of RAID
> configuration. It also provides one central location for
> Backup Tasks. Remember that local drives fail all the time
> and the users could lose their stuff.
>
> 5> Don't Mess with the Default Domain Policy OR the Default
> Domain Controllers Policy. Leave those alone until you are
> more familiar with Group Policy. Misplaced Settings in these
> two GP's can affect the entire Domain.
>
> If you are an intern, do they have a regular Network
> Administrator you can ask?
>
> By the way, NTFS file permissions is the only way to really
> secure the client machines. Users should not be Administrators
> of their local machines because it won't matter what Group
> Policies you apply, they can usually get around them.
>
> Cheers,
>
> Lara

Thank you for replying that did answer a lot of simple questions i had
and didnt know how to ask. Here is the problem my boss wants a
solution too. People in the company have free reign because they are
admins of their own machines, but not anywhere else. So from what you
said policies wont really matter because they can get around that. So
if i propose this how effective would it be.

1. To remove each user from being an admin of their own machine will
solve the problem of employees installing limewire, aim, yahoo, and
other 3rd party programs. Will this also stop browser enhancements
and spyware from being allowed to be installed onto the browser
itself?

2. A simple domain wide policy just to block the use of files like
solitaire and minesweeper and other non problem causing enhancements
should fix for a good part anyway company time being wasted on things
like that.

One question i do have and thank you so much for posting once already
Lara as im trying to help this company and my boss (who is also my
uncle) get this place functioning better, is i created an OU named it
testou made a user in that ou called john doe. That is all i made. I
created a policy called test policy, applied the cant run sol.exe and
winmine.exe and disabled the command prompt and regedit. And applied
it with the gpmc. I linked it to the testou, and set it to enforce.
I logged onto my pc with John Does account, who is not an admin, and
he had absolutely no restrictions as far as group policy was
concerned. What could i possibly have done wrong? any ideas...its as
if i didnt do anything at all
Here was the structure in AD users and computers.

Domainname
--some
--stuff
--here
--Users <--- where all the users are stored (not an OU)
--Testou <-- i created for testing
-----john doe <---inside Testou, normal user default settings

I then opened GPMC. I right clicked testou and choose link a GPO to
this OU. I called it test it then created test and linked it to
Testou. I then right clicked the test GPO and hit edit. I choose the
settings under user coniguration for no solitaire and disabling the
regedit and cmd prompt under system template and enabled them. I then
remove authenticated users from the area that the GPO affects and just
added John Doe. I then clicked the Test OU and it showed domin policy
and test policy on. I enforced the Test policy and exited out.
Logged in as john doe and nothing...no restrictions at all.

I feel like my schooling didnt get me anywhere lol. They really just
dont seem to teach the skills that are important at least not where i
went.

Joe