I have the following problem:

in my organization we have a windows 2000 server domain and all clients
are windows 2000 professional.
All people log-on to domain using active directory.
Is possible configure the worstation according to user logging?
For example, is possible hide some drives only for some domain-user
(every user can use every workstation)?
Is possible hide the printer?
And hide some program installed upon the workstation only for some
users?
And the file and the directory (only for some users)?

Is possible configure all this from server (defining group policy? how
is possible?) or is necessary configure every client?

Thanks for answer
Fabio

Howdie Fabio!

Fabio wrote:
> For example, is possible hide some drives only for some domain-user
> (every user can use every workstation)?

See: http://support.microsoft.com/kb/231289

> Is possible hide the printer?

Well, you can "uninstall" all printers by default and "map" printers the
user shall be using with a logon script.

> And hide some program installed upon the workstation only for some
> users?

You cannot hide them. But you can use "Software Restriction Policies" to
restrict access to those programs.

> And the file and the directory (only for some users)?

Hmm, there is support for limiting access to NTFS files - but "hiding"
cannot be done. NTFS permissions are at: CompConf\Windows
Settings\Security Settings\Filesystem

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.

Hi Florian,

I' m not expert about this!!! Sorry
And so I don't know where I must these operations!!!!

1) Have you a logon script for printer?
2) "Software Restriction Policies"? Where I can find it?
3) CompConf\Windows Settings\Security Settings\Filesystem? Using
regedit I don't find it.
Can you help me?
Thanks
Bye


Florian Frommherz ha scritto:

> Howdie Fabio!
>
> Fabio wrote:
> > For example, is possible hide some drives only for some domain-user
> > (every user can use every workstation)?
>
> See: http://support.microsoft.com/kb/231289
>
> > Is possible hide the printer?
>
> Well, you can "uninstall" all printers by default and "map" printers the
> user shall be using with a logon script.
>
> > And hide some program installed upon the workstation only for some
> > users?
>
> You cannot hide them. But you can use "Software Restriction Policies" to
> restrict access to those programs.
>
> > And the file and the directory (only for some users)?
>
> Hmm, there is support for limiting access to NTFS files - but "hiding"
> cannot be done. NTFS permissions are at: CompConf\Windows
> Settings\Security Settings\Filesystem
>
> cheers,
>
> Florian
> --
> Nachwuschsadmin aus dem Süddeutschen/Germany.
> eMail: Vorname [bei] frickelsoft [Punkt] net.
> blog: http://www.frickelsoft.net/blog.

Howdie Fabio!

Fabio wrote:
> I' m not expert about this!!! Sorry
> And so I don't know where I must these operations!!!!

Sorry - as you asked about "Group Policy" in your first posting, I
thought you'd know where to start from.

The first question is: Are you in an Active Directory Domain? If so, you
can use Group Policy do to that for you. If not, you'll have to manage
the computers one by one.

Group Policies apply by OU (organizational unit)- which means that you
move Active Directory user and/or computer accounts (only those! No
security groups!) into an OU and apply a Group Policy to it. All objects
(=users/computers) within this OU will apply the settings and
restrictions you made. You can apply a policy to an OU by right-clicking
the OU, selecting "Properties", selecting the tab "Group Policy" and
creating and editing it. In the opening windows "Group Policy Editor"
you can see the path that I wrote about the NTFS/Filesystem issue:
CompConf\Windows Settings\Security Settings\Filesystem?
That's how it goes for starts.

Have a look at http://www.microsoft.com/gp - it's way too wide to
explain all the details to you. Since this is a quite risky thing
(messing up the clients' configurations) you should read a little about
it yourself or look for someone who is experienced in this. No matter
what you decide to do next: go setup a test environment to not destroy
or mess up your clients!

> 1) Have you a logon script for printer?

No - but you can find it pretty easy somewhere by using google. A logon
script is actually a .vbs or .bat script that the client will process on
user logon.

> 2) "Software Restriction Policies"? Where I can find it?

It's in CompConf\Windows Settings\Security Settings\Software Restriction
Policies. You'll find a bunch of good articles on how to restrict
applications with this feature when using google.

> 3) CompConf\Windows Settings\Security Settings\Filesystem? Using
> regedit I don't find it.

You need to use the Group Policy Editor for this. Active Directory Users
and Computers -> right-click the OU you want to create the policy at ->
Properties -> "Group Policy" tab -> Create a new policy -> click edit.

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.

But when I try to add File in CompConf\Windows Settings\Security
Settings\Filesystem
I see local file (windows 2000 server). I want lock files and
directories of the client workstation.
Can I specify these elements?

Another problem:
CompConf\Windows Settings\Security Settings\Software Restriction
Policies don't exist over my GPO.
I have:
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
FileSystem
Public Key Policies
IP Security Policies

and the programs I want lock are programs I've just installed (Visual
Basic applications). How is possible.
Thanks for you disponibility!!!





Florian Frommherz ha scritto:

> Howdie Fabio!
>
> Fabio wrote:
> > I' m not expert about this!!! Sorry
> > And so I don't know where I must these operations!!!!
>
> Sorry - as you asked about "Group Policy" in your first posting, I
> thought you'd know where to start from.
>
> The first question is: Are you in an Active Directory Domain? If so, you
> can use Group Policy do to that for you. If not, you'll have to manage
> the computers one by one.
>
> Group Policies apply by OU (organizational unit)- which means that you
> move Active Directory user and/or computer accounts (only those! No
> security groups!) into an OU and apply a Group Policy to it. All objects
> (=users/computers) within this OU will apply the settings and
> restrictions you made. You can apply a policy to an OU by right-clicking
> the OU, selecting "Properties", selecting the tab "Group Policy" and
> creating and editing it. In the opening windows "Group Policy Editor"
> you can see the path that I wrote about the NTFS/Filesystem issue:
> CompConf\Windows Settings\Security Settings\Filesystem?
> That's how it goes for starts.
>
> Have a look at http://www.microsoft.com/gp - it's way too wide to
> explain all the details to you. Since this is a quite risky thing
> (messing up the clients' configurations) you should read a little about
> it yourself or look for someone who is experienced in this. No matter
> what you decide to do next: go setup a test environment to not destroy
> or mess up your clients!
>
> > 1) Have you a logon script for printer?
>
> No - but you can find it pretty easy somewhere by using google. A logon
> script is actually a .vbs or .bat script that the client will process on
> user logon.
>
> > 2) "Software Restriction Policies"? Where I can find it?
>
> It's in CompConf\Windows Settings\Security Settings\Software Restriction
> Policies. You'll find a bunch of good articles on how to restrict
> applications with this feature when using google.
>
> > 3) CompConf\Windows Settings\Security Settings\Filesystem? Using
> > regedit I don't find it.
>
> You need to use the Group Policy Editor for this. Active Directory Users
> and Computers -> right-click the OU you want to create the policy at ->
> Properties -> "Group Policy" tab -> Create a new policy -> click edit.
>
> cheers,
>
> Florian
> --
> Nachwuschsadmin aus dem Süddeutschen/Germany.
> eMail: Vorname [bei] frickelsoft [Punkt] net.
> blog: http://www.frickelsoft.net/blog.

Howdie Fabio!

Fabio wrote:
> But when I try to add File in CompConf\Windows Settings\Security
> Settings\Filesystem
> I see local file (windows 2000 server). I want lock files and
> directories of the client workstation.

In order to have the files on the clients restricted by permissions, you
browse to the location (on the server), where the folder is located.
It'll work on the clients afterwards. If the folders only exist on the
local machines and not on the server, you will have to install
adminpak.msi (which includes the management tools for Active Directory -
can be downloaded from Microsoft) on a client computer and edit and
manage the policy from there.

> Another problem:
> CompConf\Windows Settings\Security Settings\Software Restriction
> Policies don't exist over my GPO.

Oh sorry, I forgot that we're talking about Windows 2000 - Software
Restriction Policies got introduced with Windows XP and Windows Server
2003. Hum - seems like you will have to prevent "Read" access to the
programs your users shall not execute as well. I have no other solution
for this at the moment...

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
blog: http://www.frickelsoft.net/blog.

Tanks for all Florian
Bye