Group policy problem (XP alone and XP with NT server)

[Tad Menert]

Let me explain my predicament:

I am currently running NT 4 server with 14 NT machines in a small lab at the
detention center. Because of the nature of the setting we have a lot of
restrictions placed on the NT computers via POLEDIT so that they cannot do
too much damage to our system (not drives visible,no internet access, no
RUN, SEARCH command etc.

Now we go some XP computers and I'm trying to connect them to the NT server
using the same restrictions, but am at loss as far as XP Group policy works.
I am experimenting with one of my computers without connecting it to the
network using mmc /a and Group Policy snap-in. But here is my question:

Can I just hook up XP computers to the network and have them read the
existing policy on the NT4 server, and is there a command for the XP to
communicate with the server and apply existing NT policies. I have a file
there on the server called Test.pol that my NT boxes access by running
poledit on them and making them read it from \\inmate_fs\test.pol.

Is there a way to do the same in XP?

My second question is similar, but a bit different. In the library I would
like to set up an inmate stand alone XP computer so that there will be
similar restrictions in place. Right now I have a NT computer here and again
use poledit to restrict various settings. I tried mmc /a but whenever I
create a console with various restrictions it affects the group Inmates but
it also affects the administrators. I've read somewhere that there is a
crude workaround where one can set up the system that there will be those
that are affected by group policy and those that would not be. Any help
here???


Thanks again

Tad Menert

 

[Nepatsfan]

Let me explain my predicament:

I am currently running NT 4 server with 14 NT machines in a
small lab at the detention center. Because of the nature of the
setting we have a lot of restrictions placed on the NT
computers via POLEDIT so that they cannot do too much damage to
our system (not drives visible,no internet access, no RUN,
SEARCH command etc.

Now we go some XP computers and I'm trying to connect them to
the NT server using the same restrictions, but am at loss as
far as XP Group policy works. I am experimenting with one of my
computers without connecting it to the network using mmc /a and
Group Policy snap-in. But here is my question:

Can I just hook up XP computers to the network and have them
read the existing policy on the NT4 server, and is there a
command for the XP to communicate with the server and apply
existing NT policies. I have a file there on the server called
Test.pol that my NT boxes access by running poledit on them and
making them read it from \\inmate_fs\test.pol.

Is there a way to do the same in XP?

My second question is similar, but a bit different. In the
library I would like to set up an inmate stand alone XP
computer so that there will be similar restrictions in place.
Right now I have a NT computer here and again use poledit to
restrict various settings. I tried mmc /a but whenever I create
a console with various restrictions it affects the group
Inmates but it also affects the administrators. I've read
somewhere that there is a crude workaround where one can set up
the system that there will be those that are affected by group
policy and those that would not be. Any help here???


Thanks again

Tad Menert

I can't help you with your first question. If you haven't done so
already you might want to post it to one of the server
newsgroups. Microsoft.public.windows.group_policy might be an
even better option.

As for your second question, you've got two options:

Here's Microsoft's procedure:

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Here's a method that uses NTFS permissions:

http://www.theeldergeek.com/gp07.htm

The second one is very simple to implement. You set up your group
policy and then set the permissions on the
C:\Windows\System32\GroupPolicy folder to deny read permissions
for the Administrators group.

Good luck

Nepatsfan

 

[Tad Menert]

Thanks for your help. I'm getting somewhere, but sometimes it's a vicious
circle, as when I try to remove my computer and deny the administrator read
permissions I might force myself into a blind corner

It was a great help, though

Tad


two options:

 

[Nepatsfan]

I see you've discovered the fact that some of the policies go
into effect immediately. It's a PITA but there is a way around
most of them. That said, be careful. It's not that difficult to
put policies in place that prevent you from going back and
disabling them.

If I understand correctly you're trying to enable the following
policies in the User Configuration\Windows Components\Windows
Explorer section:

Hide these specified Drives in My Computer
Prevent Access to Drives from My Computer

As you've found out, as soon as you enable these two policies,
you won't have access to the C:\Windows\System32\GroupPolicy
folder. Here's a workaround that you might want to try:

While logged on to the computer with your account (or one that is
a member of the Administrators group) create two new shortcuts on
your desktop. One should point to C:\Windows\System32\gpedit.msc
and the other should point to C:\Windows\System32.
What you've got is a shortcut that will launch the Local Group
Policy editor and one that will open the folder one level above
the GroupPolicy folder whose access permissions you need to
change.

Double click the System32 shortcut.
Right click on the GroupPolicy folder and select Properties.
You can close the System32 folder but leave the Properties page
displayed.
Double click your Local Group Policy editor shortcut.
Make your changes and close the editor.
Go back to the GroupPolicy folder's Properties page.
Click on the Security tab.
Click on the Add button.
In "Select Users and Groups" click Advanced.
Click Find Now.
Click on Administrators to highlight that group.
Click OK twice.
Back on the GroupPolicy folder's Properties page remove all the
check marks in the Allow column for the Administrators group. Put
a check mark in the box next to Deny Read.
Click OK.
Log off with your account and log back on to make sure the
policies haven't been applied.
Log on with a limited account to see if the policies have been
applied.

Keep in mind that in order to regain access to the group policy
editor you will have to go back and remove the Deny Read
permission for the Administrator account. All you've got to do is
double click your System32 shortcut and remove the Administrators
group from the GroupPolicy folders Security page. You should now
be able to launch the Group Policy editor to adjust your policy
settings. Remember to reset your Deny Read permission if you've
left any policies in place.

Post back if you have any questions on this procedure.

Nepatsfan