Sign in with
Sign up | Sign in
Your question

User Profiles?

Last response: in Windows XP
Share
Anonymous
August 12, 2004 7:12:54 PM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

OK, I'm trying to get to grips with the way XP pro and XP home actually work
in respect to
User Profiles. Note this is without the PC being joined to a network and
hence their is no Domain assignment. I've read about the Group Policies in
XP pro and think that I understand that setting a group policy using
gpedit.msc User Configuration\Administrative templates\..... will
effectively set the policy for all User Profiles since there is only one
Local Policy? So if I logon as a user that is a member of the Administrators
group (or the Administrator) how do I set policies for Users that are
members of the User group? can this be done without a network domain?

I'm assuming that if I wanted to setup a system that had several users each
with different policy restrictions I could create accounts for each of the
users and allow them to be Administrators. Logon to each in turn and make
the desired policy settings manually then log back on to my administrators
account and change each of the account types to Limited (user) ??

Is this Correct? Is there any way I can effectively make settings in the
HKEY_CURRENT_USER hive for another user whilst logged on as administrator
without effecting other users or my own administrators account? Presumably
this would mean reading and writing to the uses NTuser.dat file

When you create a user account of the Limited type several registry keys are
protected against writing to! I've been trying to override this built in
functionality by setting permissions on a specific registry key so that the
use is included with full access. It appears to work untill you logon as the
user then the permissions are not available? Can this be done?
I thought that if I logged on as the user then ran regedit under the
Administrators credentials I'd be able to set policies manually for that
user but this doesn't seem to be the case!

Thanks for any info you can give with this
Chris

More about : user profiles

Anonymous
August 13, 2004 7:50:01 PM

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

| "C.S.Farmer" <http://www.microsoft.com/communities/privacy.mspx
| Message news:eXcp6ZHgEHA.3536@TK2MSFTNGP12.phx.gbl...
| OK, I'm trying to get to grips with the way XP pro and XP home
| actually work in respect to User Profiles. Note this is without
| the PC being joined to a network and hence their is no Domain
| assignment. I've read about the Group Policies in XP pro and
| think that I understand that setting a group policy using
| gpedit.msc User Configuration\Administrative templates\.....
| will effectively set the policy for all User Profiles since
| there is only one Local Policy? So if I logon as a user that is
| a member of the Administrators group (or the Administrator) how
| do I set policies for Users that are members of the User group?
| can this be done without a network domain? <SNIP>

For a Windows XP Professional computer in a non-Active Directory
environment (a workgroup and/or stand-alone computer), only one
local Group Policy object exists. As such, every policy set
using the Administrative Templates Node in the Group Policy
console (registry-based policy) will effect every user of the
computer, including the built-in Administrator.

For more information about Group Policies and a Windows XP
Professional stand-alone computer search the Windows XP
Professional Help and Support Center for "Client operating
systems" (with the quotes) and read the "Note" in the Full-text
Search Match by that title.

One way to manage desktops in a non-Active Directory environment
is to use poledit. For some information about poledit see the
following Microsoft Documentation:

Windows XP Professional Product Documentation
Part II Desktop Management | Ch 5 Managing Desktops
Managing Desktops Without Active Directory
http://www.microsoft.com/resources/documentation/Window...

Another way, if the volume is formatted using NTFS, is to set
Discretionary Access Control Lists (DACLs) on the Group Policy
object so that specified groups are either affected or not
affected by the settings contained within that Group Policy
object.

Say, for example, that you want to use Group Policies to "Remove
links and access to Windows Update" for members of all groups but
Administrators.

You would:

- Log in as local Administrator

- Run gpedit.msc

- As a precaution so that policies do not get refreshed/applied
in an untimely manner, navigate to the following policy and set
it to 0:

Administrative Templates\System\Group Policy:
Group Policy refresh interval for users

- Navigate to the following policy and set it to Enabled:

Administrative Templates\Start Menu and Taskbar:
Remove links and access to Windows Update

- Close gpedit.msc

- Use Explorer to navigate to:

%SYSTEMROOT%\system32\GroupPolicy\User\Registry.pol

- Right-click this file and then click Properties

- Select the Security tab

- In the Name box select Administrators

- In the Permissions area click the Deny checkbox for Read

For more information about how to "set, view, change, or remove
file and folder permissions" search the Windows XP Help and
Support Center for the phrase in double-quotes (with the quotes)
and read the Full-text Search Match by that title.

To make subsequent changes to the local Group Policy object, you
must give yourself Read access to the Group Policy object, make
the changes, and then remove Read access. Keep in mind if you
fail to remove Read access, log off, then log back on, all
policies are going to apply to you. And depending on the
policies that you have set, this may or may not put you in a very
difficult situation.

I recommended that you record ALL the changes you make on a piece
of paper (and/or in a computer file).

You can find links to peer-to-peer support newsgroups for Group
Policy and Active Directory technologies below.

Management Technologies Newsgroups
Newsgroup: microsoft.public.windows.group_policy
AKA: Windows: Group Policy
http://www.microsoft.com/windowsserver2003/community/ne...

And here are some links to some documentation about
Registry-Based Group Policy:

Microsoft Windows XP
Resources about Group Policy and related technologies
http://www.microsoft.com/resources/documentation/window...

From the aforementioned page I recommend starting with the
Implementing Registry-Based Group Policy whitepaper.

Group Policy Settings Reference for Windows Server 2003
(PolicySettings.xls)
http://microsoft.com/downloads/details.aspx?FamilyId=78...

PolicySettings.xls is a detailed spreadsheet that lists the full
set of Group Policy settings described in Administrative Template
(.adm) files. Fields included in the spreadsheet are: *.adm
File, Computer/User Node, Policy Path, Full Policy Name,
Supported on, Help/Explain Text, Registry Settings. For anyone
interested in Registry-Based Group Policy, I highly recommend
downloading PolicySettings.xls
!