Group Policy question

[Guest]

Is it possible to use group policy for individual accounts on a single
computer or is all group policy settings machine pacific and will affect all
accounts even admin accounts? If I can create different rules for limited
accounts with group policy how do I select the group to apply the settings? I
want to further limit my limited account to not do many things with the
account that it is able to do as it stands right now. Namely, remove stuff
off the start panel, lock the taskbar, limit what can be done with IE and
stop downloads. Thanks,

Seree

 

[Steven L Umbach]

For non domain computers you best bet is to use the free Shared Computer
Toolkit from Microsoft that allows you to create restricted accounts that
have many GP settings applied to them without affecting other user accounts.

Steve

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

 

[Guest]

You can also do this with the registry (which is what policies do, anyway)

A useful resource: http://www.theeldergeek.com

The best way to do this is with .reg files, which are text representations
of the registry changes you want to make.

Changes to HKEY_CURRENT_USER only affect the logged-on user. However, if
you want to change settings in an account other then the one that's
logged-on, then you need to figure-out which HKEY_USERS subkey belongs to
that user.

A limitation is that this approach won't work for account-security settings.

Do exercise some caution as it's possible to break the machine by incautious
registry-editing. (Mind you, same applies to policies)

 

[Pop`]

You can also do this with the registry (which is what policies do,
anyway)

IMO You have that backwards: The best way is with policies, NOT by editing
the Registry. For obvious reasons editing the REgistry should be a last
resort of the only way to accomplish something.

A useful resource: http://www.theeldergeek.com

The best way to do this is with .reg files, which are text
representations of the registry changes you want to make.

Registry "files" ARE text, not representations of text.

Changes to HKEY_CURRENT_USER only affect the logged-on user.
However, if you want to change settings in an account other then the
one that's logged-on, then you need to figure-out which HKEY_USERS
subkey belongs to that user.

A limitation is that this approach won't work for account-security
settings.

Do exercise some caution as it's possible to break the machine by
incautious registry-editing. (Mind you, same applies to policies)

Policies are much less prone to catastrophic changes, and in general keep
any changes that ARE done at least confined to a specific area. Not so in
the Registry where you can find identical entries in sevearl differnt
places, only one of which may be the one you need to edit. Jeez!

 

[Guest]

Thans to all who responded to my question about group policy and how to
restrict single or multiple accounts on one computer but leave others out of
these configurations. I do know (thankfully) to not mess with the registry
unless I know for sure what I am doing and first back it up. I rarely touch
the registry directly unless given direct and cohesive instructions from a
reputalbe sourse like Microsoft Knowlege Base articles. I was looking at the
help pages in Group Policy and read something about System Policy and how
System Policy should be used to affect single or multiple accounts on a stand
alone computer or one part of a work group without a server. I am unsure
where this System Policy is located.

I do not, ever, make any changes unless I have first done extensive research
on the issue. This is what I am doing now with Group Policy. I want to be
able to use it to some degree to lock down the limited account I created I
call "Visitors" which I am using in place of the Guest Account as instructed
by Steve in other postings. I want to make sure my Visitors do not download
from the net, install addons, install active x, or use several sections of
the system including the run dialog box, stop access to network connections,
and other security issues. Most of my Visitors are older teens, and young
adults, my children, who come and want to use my computers yet are unskilled
and unkowlegable in how they can cause damage and in the past have created
difficulties for me, which I wound up correcting, but only after great strain
and angst. lol

So, I will follow the link Steve gave and look into that, and hope one of
you can tell me a bit about System Policy and where to locate this utility.
Thanks again for all your responses and hope to hear from you all again.

Seree

 

[Steven L Umbach]

System policies is an old way that was used in the pre Windows 2000 days. It
still can be used but the Shared Computer Toolkit is a much better solution
that also uses Software Restriction Policies though in a less configurable
state. To use System policies you will need to find a copy of poledit.exe
somewhere as on an older operating system or on some web site that may have
it.

Steve

http://www.zisman.ca/poledit/ -- info on poledit

 

[Guest]

Thank you Steve, I am checking out the link you provided for Shared computer
toolkit. I was wondering why my Group Policy Help section would have directed
me to a Utility which is difficult at best to locate and use. Seems far too
confusing for those of us like myself who is just trying to learn and
advanced in these areas. Oh, well, I am gratefull for this group for having
answers.

Steve, I asked a question, which is just under this one about an account
which mysteriously lost its status and dissapeared off the welcome screen. It
went from an Admin Account to a Debugger Account. It is my fiance's account,
which he has been using since it was created right after the purchase four
months ago. Thank goodness I had just learned about the comand prompt way of
accessing "control userpasswords2" just the day this occurred. Please check
out that post and tell me what you think. Thanks for responding to my posts,

Seree

 

[Guest]

Hi Steve, I investigated the shared computer toolkit and what a great tool
this is. Wow! Plus, its free, can't get any better than that. However, it is
not compatable with Windows Media Edition 2005, which is what I have in both
my home computers. I wonder why though as Media Edition is really Windows XP
Pro with media enhancements but not a major OS alteration. Anyway, this would
be great for my Vistitors Account, I would just have to be extreamly carefull
in configuring it in a home computer enviroment. I really am looking to
change just a few things as my kids are actually young adults now. I think
the disk protection would be a real hinderance for a home computing
enviroment when my Visitors Account would only be used a few times a year.
However, when my grandchildren are older I think I will purchase a computer
for their use and install this toolkit on their shared computer. Thanks for
sharing this toolkit with me, pun intended! ;-)

Have a great day, Seree

P.S. Could you please look at the post under this strand? I had a very odd
occurance and am needing some input regarding it, thanks.

 

[Pop`]

Woof, another name for my "ignore" list:

TO THE OP:

System policies is an old way that was used in the pre Windows 2000
days. It still can be used but the Shared Computer Toolkit is a much
better solution that also uses Software Restriction Policies though
in a less configurable state.

BOGOSITY AT ITS BEST THERE!

Be VERY careful and read everything completely BEFORE going the toolkit
route. But keep in mind, imo it's far from what you need right now.
Take particular note of the requirements of installation and
uninstalling it. I think you'll find them quite enlightening. I'd
seriously advise against trying to use it, considering your case at this
point.

To use System policies you will need to

find a copy of poledit.exe somewhere as on an older operating system
or on some web site that may have it.

NO!

Administrative tools is located here:
C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools

In Administrative Tools, you'll find your policy editors and everything else
you may need.

Or
start; programs; administrative tools; should also take you there unless
it's display has been turned off. This is the route I usually use to get
there; it's quick and easy. Policies are extremely useful and powerful
tools for those who will take the time to properly learn them and implement
them.

If you have a navigation problem, post back and describe it; I'll try to
help out if I can.

It's true poledit is old, but it's also true that it's not likely goign to
do you any good. Better to use the intended tools.

You sound like you're handling things correctly and using lots of common
sense; keep it up and you'll learn a lot.

Best luck,
Pop`

Steve

http://www.zisman.ca/poledit/ -- info on poledit

The Share ... toolkit is NOT for the faint of heart. It also has several
requirements in order to use it, and if the user should decided to uninstall
it, and forgets that there is a detailed procedure in order to do so
(add/remove won't do it in other words), he's in for a bunch of hassle.

Pop`

 

[Guest]

Pop, you're right about the shared computer toolkit. I went to the site and
read everything I could very carefully, and also watched both the "come on
and download and install me" video, and the "installation and configuration"
video. While it looks good for what it says it is for, it is not something
any home user should be installing on systems, unless it is for a computer
"only" for use by kids and those you do not want in your own system. Even
then, those who use this had best know what they are doing.

I am pretty carefull about reading as much as possible before configuring
anything, but still am unclear on the matter of usability of group policy on
one or two accounts on a system but leave the admin accounts unrestricted. I
have been inside of Group Policy for a few days now and have seen the 1400
some odd possible settings, and will not touch this untill I am clear, very
clear on the proper implementation and use of each one. I am not part of a
domain, so am limited as to what I can do here. Especially as I have so far
to go in the learning curve. lol

I will look into the areas you said for system policy, but do you know where
I could find documentation on the use of group policy? I have only been able
to locate some help files, that are cryptic at best, and one or two Knowlege
Base articles which are so limited in scope it is maddening. I have read
Windows XP Inside Out a number of times, and still uise it regularily. I need
to get the Windows XP Security Inside Out by the same group who wrote XP
Inside Out. It is a great book. I do have the Windows XP Resourse kit book
marked, but heck it goes on about domains in most configuration examples and
illustations, which does not help me at all right now. I am miffed that
Microsoft failed to take into consideration the millions of workgroup
networks, not using a Server OS or a Domain. While the idea of centralized
administration is great, not all of us is able to do so at this time. So, we
must attempt to utilize the full potential of Windows XP Pro, yet do not have
adequet documentation. For example, Windows XP Inside Out, while a great book
and pretty long in and off itself, lacks in detail. It takes you half way to
something and then stops. Frustrating to say the least. Some of us are
capable of self learning, but if the material is cut off half way through an
example well where do you go from there? I just do not care for guess work,
not when we are talking about a three thousand dollar machine and software.

Anyway, I will defently be checking those locations and looking for ever
more resourses in setting up my network and systems to work the best for me.
Thanks so much for your encouragment, it means a lot to me. I am self taught
and only recently found this group.

Would you consider doing me one more favor? Below this thread I posted a
different question. I had an admin account go missing off the welcome screen
and somehow it got changed to a "debugger" account. I used "control
userpasswords2" to straighten it out, but am flummoxed on how it happened in
the first place. I am just wondering if anybody has any ideas how this could
have occurred. I did not touch any settings while looking at control
userpasswords2, I had just learned about it in Windows XP Inside Out, and so
was checking it out. I do this often, go and view something without touching
any controls or settings, just view it and take note of all the tabs, what is
on them, what it may be used for, a sort of recon of utilities and resourses
if you will. lol

Thanks to all for responding to my posts and for all your assistance. I do
think the Shared Computer Toolkit is a great idea and has strong potential,
just not iin my case, at least yet. I AM concerned about the so called hard
disk protection feature though AND the installation and removal process as
outlined in the support pages. As mentioned earlier, any who use this had
best know what they are doing before ever downloading and installing it.

Seree

 

[Guest]

Pop, I went into Administrative Tools, (just to make sure as I've been there
many times before) and was able to locate "Users and Groups", "Local Security
Policy" and by using the command line can access, "Group Policy", but am
unable to locate the "System Policy" referred to in the Group Policy Help
section and as described in your post. Perhaps it is somewhere else? You said
you don't think it will do me any good for what I am trying to do, could you
ellaborate on that a bit? I am a tad confused now as it states in Group
Policy Help (In the front or top section of the Help in describing what Group
Policy is and what it can be used for) that it is best to use System Policy
to configure security policies on stand alone workstations. If it won't do me
any good well and fine, I just am an avid reader and an avid seeker of
information. I just hate not being fully informed on much of anything. ;-)

I just feel much more confident when I know for sure I understand an issue
or situation before acting on it or as in this case configuring anything. I
am eager to learn and apply what I can. While I may not need this anytime
soon, I would like to learn as much as possible. Being able to apply what I
learn really goes far in cementing that knowlege. Thanks for all your
assistance. Oh, as I mentioned earlier if you have any material or books you
can point me to I would appreciate it. Again, thanks,

Seree

 

[Steven L Umbach]

Too bad it will not work on XP Media edition as it is great and easy to
implement tool. Your other option could be to use local Group Policy and
then give the group you do not want the GP settings to apply to deny
permissions for the \windows\system32\grouppolicy\user folder though that
will prevent you from editing Group Policy locally until you grant yourself
permissions to that folder again. Doug Knox's XP security console may be
also something for you to look at as shown in the link below. Of course NTFS
permissions can also be used to limit what folders/files that a user/group
can access on the operating system.

Steve

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

 

[Steven L Umbach]

You might want to take time to read the thread. System policies is a
reference to what was used in NT4.0/W95/W98/WME. Windows XP uses "Group
Policies" and Local Security Policy that is a subset of local Group Policy.
By default local Group Policy user configuration applies to all users that
logon to the computer that is not a member of an Active Directory domain.
Seree is well aware of this and is looking for a way to apply GP type
restrictions to only selected users on the computer. The Shared Computer
Toolkit does that very well and is easy to install, setup, and free.

Steve