J
Jack Knight
Hi,
I have the following scenario:
XP Pro (SP2) laptops
NT4 Domain.
Roaming Profiles.
I need to lock down individual users on the machine, whilst allowing
administrators to do pretty much anything.
I created a group policy with gpedit for the local machine locking down
all the required items, then prevented read access to that policy to the
administrators group with an explicit DENY acl. Works fine at the local
level, new users get all required lockdowns, admins get everything they
need.
However when the machine joins a domain and a user who has never before
logged on to that machine does so, their roaming profiles appear to
completely overwrite the local machine policy, and also cause other
weird effects like items on the start menu from "All Users"
disappearing, which I cannot find a way to put back.
Is there a way to allow only certain parts of the roaming profile (e.g.
mail server settings, IE proxy info etc.) to be loaded into the local
profile, but prevent my carefully crafted start menu and settings being
blatted?
This happens for both normal users and admins.
There is also the spectre of some users having mandatory profiles.
Any help greatly appreciated.
JK
I have the following scenario:
XP Pro (SP2) laptops
NT4 Domain.
Roaming Profiles.
I need to lock down individual users on the machine, whilst allowing
administrators to do pretty much anything.
I created a group policy with gpedit for the local machine locking down
all the required items, then prevented read access to that policy to the
administrators group with an explicit DENY acl. Works fine at the local
level, new users get all required lockdowns, admins get everything they
need.
However when the machine joins a domain and a user who has never before
logged on to that machine does so, their roaming profiles appear to
completely overwrite the local machine policy, and also cause other
weird effects like items on the start menu from "All Users"
disappearing, which I cannot find a way to put back.
Is there a way to allow only certain parts of the roaming profile (e.g.
mail server settings, IE proxy info etc.) to be loaded into the local
profile, but prevent my carefully crafted start menu and settings being
blatted?
This happens for both normal users and admins.
There is also the spectre of some users having mandatory profiles.
Any help greatly appreciated.
JK