GPO's

A

Al Taylor

Hi folks,

I am somewhat new to win2k server and I am having a bit of a hard time understanding group policy and how it is applied. Correct me if I am wrong. I know that GP is applied to active directory 'containers' and not to 'groups' per say. I am setting up a small (1 win2k server, 4 win2k pro clients and 4 XP pro clients) network at a little community school here in Cleveland, Ohio. I have installed the server as a domain controller with active directory. I would like to have the students NOT to be able to install software or change their desktop settings. Is group policy the correct tool for this or should I be using profiles for this? The students all belong a group called students, and AD contains an OU which I have populated with each computer and each user.

Please point me in the right direction

Thanx in advance

Al Taylor
 
S

Steven L Umbach

Group Policy can help, but first you need to make sure students are only members of the users group and do not have excessive ntfs permissions. You want to check the root folder on those computers to make sure that the everyone and users group have no more than read/list/execute permissions including in advanced permissions. Regular uses will still be able to install some software on the Windows 2000 computers, though Group Policy may help somewhat if you look at options in user configuration/administrative templates/system including disabling registry editing tools. You can use Software Restriction Policies on the XP Pro computers to lock then down tight to prevent running unauthorized software. To lock down the desktop, you really need to look into mandatory profiles or make sure that users only have read/list/execute permissions on the desktop folder in their profiles and take ownership of that folder as administrator so they can not change permissions back. --- Steve

http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp
http://www.labmice.net/activedirectory/grpolicy.htm
http://support.microsoft.com/?kbid=323525

Hi folks,

I am somewhat new to win2k server and I am having a bit of a hard time understanding group policy and how it is applied. Correct me if I am wrong. I know that GP is applied to active directory 'containers' and not to 'groups' per say. I am setting up a small (1 win2k server, 4 win2k pro clients and 4 XP pro clients) network at a little community school here in Cleveland, Ohio. I have installed the server as a domain controller with active directory. I would like to have the students NOT to be able to install software or change their desktop settings. Is group policy the correct tool for this or should I be using profiles for this? The students all belong a group called students, and AD contains an OU which I have populated with each computer and each user.

Please point me in the right direction

Thanx in advance

Al Taylor
 
A

Al Taylor

Thank you Steven, That is just what I needed.

Al
Group Policy can help, but first you need to make sure students are only members of the users group and do not have excessive ntfs permissions. You want to check the root folder on those computers to make sure that the everyone and users group have no more than read/list/execute permissions including in advanced permissions. Regular uses will still be able to install some software on the Windows 2000 computers, though Group Policy may help somewhat if you look at options in user configuration/administrative templates/system including disabling registry editing tools. You can use Software Restriction Policies on the XP Pro computers to lock then down tight to prevent running unauthorized software. To lock down the desktop, you really need to look into mandatory profiles or make sure that users only have read/list/execute permissions on the desktop folder in their profiles and take ownership of that folder as administrator so they can not change permissions back. --- Steve

http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp
http://www.labmice.net/activedirectory/grpolicy.htm
http://support.microsoft.com/?kbid=323525

Hi folks,

I am somewhat new to win2k server and I am having a bit of a hard time understanding group policy and how it is applied. Correct me if I am wrong. I know that GP is applied to active directory 'containers' and not to 'groups' per say. I am setting up a small (1 win2k server, 4 win2k pro clients and 4 XP pro clients) network at a little community school here in Cleveland, Ohio. I have installed the server as a domain controller with active directory. I would like to have the students NOT to be able to install software or change their desktop settings. Is group policy the correct tool for this or should I be using profiles for this? The students all belong a group called students, and AD contains an OU which I have populated with each computer and each user.

Please point me in the right direction

Thanx in advance

Al Taylor
 
S

Steven L Umbach

Great Al. I need to add that it is not hard for a user to take administrator control of a computer if they can boot from a floppy or cdrom, since there are free utilities that can do such. You want to make sure that the cmos on each computer is set to boot ONLY from hard drive, that the cmos settings are password protected, and that the computer cases are locked so that they can not reset the cmos. I would also disable usb in the cmos [pen flash drives] if it is not needed, and also disable the messenger service so they can not chat on the local network. --- Steve
Thank you Steven, That is just what I needed.

Al
Group Policy can help, but first you need to make sure students are only members of the users group and do not have excessive ntfs permissions. You want to check the root folder on those computers to make sure that the everyone and users group have no more than read/list/execute permissions including in advanced permissions. Regular uses will still be able to install some software on the Windows 2000 computers, though Group Policy may help somewhat if you look at options in user configuration/administrative templates/system including disabling registry editing tools. You can use Software Restriction Policies on the XP Pro computers to lock then down tight to prevent running unauthorized software. To lock down the desktop, you really need to look into mandatory profiles or make sure that users only have read/list/execute permissions on the desktop folder in their profiles and take ownership of that folder as administrator so they can not change permissions back. --- Steve

http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp
http://www.labmice.net/activedirectory/grpolicy.htm
http://support.microsoft.com/?kbid=323525

Hi folks,

I am somewhat new to win2k server and I am having a bit of a hard time understanding group policy and how it is applied. Correct me if I am wrong. I know that GP is applied to active directory 'containers' and not to 'groups' per say. I am setting up a small (1 win2k server, 4 win2k pro clients and 4 XP pro clients) network at a little community school here in Cleveland, Ohio. I have installed the server as a domain controller with active directory. I would like to have the students NOT to be able to install software or change their desktop settings. Is group policy the correct tool for this or should I be using profiles for this? The students all belong a group called students, and AD contains an OU which I have populated with each computer and each user.

Please point me in the right direction

Thanx in advance

Al Taylor
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO does not take effect 7
File and folder permissions 2
XP & Win2K guests browsing my domain folders 1
GPO force Redirect of folders on 2003 Term Server 3
"There are 0 filters" using IPSec via GPO 4
Group Policy Not Applied 1
DNS help please 8
ip sec in a domain. 1

Top