User Profiles?

Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

OK, I'm trying to get to grips with the way XP pro and XP home actually work
in respect to
User Profiles. Note this is without the PC being joined to a network and
hence their is no Domain assignment. I've read about the Group Policies in
XP pro and think that I understand that setting a group policy using
gpedit.msc User Configuration\Administrative templates\..... will
effectively set the policy for all User Profiles since there is only one
Local Policy? So if I logon as a user that is a member of the Administrators
group (or the Administrator) how do I set policies for Users that are
members of the User group? can this be done without a network domain?

I'm assuming that if I wanted to setup a system that had several users each
with different policy restrictions I could create accounts for each of the
users and allow them to be Administrators. Logon to each in turn and make
the desired policy settings manually then log back on to my administrators
account and change each of the account types to Limited (user) ??

Is this Correct? Is there any way I can effectively make settings in the
HKEY_CURRENT_USER hive for another user whilst logged on as administrator
without effecting other users or my own administrators account? Presumably
this would mean reading and writing to the uses NTuser.dat file

When you create a user account of the Limited type several registry keys are
protected against writing to! I've been trying to override this built in
functionality by setting permissions on a specific registry key so that the
use is included with full access. It appears to work untill you logon as the
user then the permissions are not available? Can this be done?
I thought that if I logged on as the user then ran regedit under the
Administrators credentials I'd be able to set policies manually for that
user but this doesn't seem to be the case!

Thanks for any info you can give with this
Chris
1 answer Last reply
More about user profiles
  1. Archived from groups: microsoft.public.windowsxp.configuration_manage (More info?)

    | "C.S.Farmer" <http://www.microsoft.com/communities/privacy.mspx
    | Message news:eXcp6ZHgEHA.3536@TK2MSFTNGP12.phx.gbl...
    | OK, I'm trying to get to grips with the way XP pro and XP home
    | actually work in respect to User Profiles. Note this is without
    | the PC being joined to a network and hence their is no Domain
    | assignment. I've read about the Group Policies in XP pro and
    | think that I understand that setting a group policy using
    | gpedit.msc User Configuration\Administrative templates\.....
    | will effectively set the policy for all User Profiles since
    | there is only one Local Policy? So if I logon as a user that is
    | a member of the Administrators group (or the Administrator) how
    | do I set policies for Users that are members of the User group?
    | can this be done without a network domain? <SNIP>

    For a Windows XP Professional computer in a non-Active Directory
    environment (a workgroup and/or stand-alone computer), only one
    local Group Policy object exists. As such, every policy set
    using the Administrative Templates Node in the Group Policy
    console (registry-based policy) will effect every user of the
    computer, including the built-in Administrator.

    For more information about Group Policies and a Windows XP
    Professional stand-alone computer search the Windows XP
    Professional Help and Support Center for "Client operating
    systems" (with the quotes) and read the "Note" in the Full-text
    Search Match by that title.

    One way to manage desktops in a non-Active Directory environment
    is to use poledit. For some information about poledit see the
    following Microsoft Documentation:

    Windows XP Professional Product Documentation
    Part II Desktop Management | Ch 5 Managing Desktops
    Managing Desktops Without Active Directory
    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prda_dcm_godi.asp

    Another way, if the volume is formatted using NTFS, is to set
    Discretionary Access Control Lists (DACLs) on the Group Policy
    object so that specified groups are either affected or not
    affected by the settings contained within that Group Policy
    object.

    Say, for example, that you want to use Group Policies to "Remove
    links and access to Windows Update" for members of all groups but
    Administrators.

    You would:

    - Log in as local Administrator

    - Run gpedit.msc

    - As a precaution so that policies do not get refreshed/applied
    in an untimely manner, navigate to the following policy and set
    it to 0:

    Administrative Templates\System\Group Policy:
    Group Policy refresh interval for users

    - Navigate to the following policy and set it to Enabled:

    Administrative Templates\Start Menu and Taskbar:
    Remove links and access to Windows Update

    - Close gpedit.msc

    - Use Explorer to navigate to:

    %SYSTEMROOT%\system32\GroupPolicy\User\Registry.pol

    - Right-click this file and then click Properties

    - Select the Security tab

    - In the Name box select Administrators

    - In the Permissions area click the Deny checkbox for Read

    For more information about how to "set, view, change, or remove
    file and folder permissions" search the Windows XP Help and
    Support Center for the phrase in double-quotes (with the quotes)
    and read the Full-text Search Match by that title.

    To make subsequent changes to the local Group Policy object, you
    must give yourself Read access to the Group Policy object, make
    the changes, and then remove Read access. Keep in mind if you
    fail to remove Read access, log off, then log back on, all
    policies are going to apply to you. And depending on the
    policies that you have set, this may or may not put you in a very
    difficult situation.

    I recommended that you record ALL the changes you make on a piece
    of paper (and/or in a computer file).

    You can find links to peer-to-peer support newsgroups for Group
    Policy and Active Directory technologies below.

    Management Technologies Newsgroups
    Newsgroup: microsoft.public.windows.group_policy
    AKA: Windows: Group Policy
    http://www.microsoft.com/windowsserver2003/community/newsgroups/management/default.mspx

    And here are some links to some documentation about
    Registry-Based Group Policy:

    Microsoft Windows XP
    Resources about Group Policy and related technologies
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/gpe_resources.mspx

    From the aforementioned page I recommend starting with the
    Implementing Registry-Based Group Policy whitepaper.

    Group Policy Settings Reference for Windows Server 2003
    (PolicySettings.xls)
    http://microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en

    PolicySettings.xls is a detailed spreadsheet that lists the full
    set of Group Policy settings described in Administrative Template
    (.adm) files. Fields included in the spreadsheet are: *.adm
    File, Computer/User Node, Policy Path, Full Policy Name,
    Supported on, Help/Explain Text, Registry Settings. For anyone
    interested in Registry-Based Group Policy, I highly recommend
    downloading PolicySettings.xls
Ask a new question

Read More

Configuration Policy Windows XP