Group Policy

[yba02]

Hi,
Running Windows XP SP2.
Is there a way where I can apply group policy on some users and exclude
other users, such as administrators? Example, I need to restrict access to
all hard disks on the machine on members of the "users" group, while members
of "administrators" group can still access those HD's.

Any input is highly appreciated.

Thanks
Yahya

 

[Lanwench [MVP - Exchange]]

Hi,
Running Windows XP SP2.
Is there a way where I can apply group policy on some users and
exclude other users, such as administrators? Example, I need to
restrict access to all hard disks on the machine on members of the
"users" group, while members of "administrators" group can still
access those HD's.

Any input is highly appreciated.

Thanks
Yahya

Not without AD. In standalone XP & 2k, local policies are per machine, not
per user. Check out Windows Steady State or Doug Knox's XP Security Console
(google it) for options.

 

[Twayne]

Not without AD. In standalone XP & 2k, local
policies are per
machine, not per user. Check out Windows Steady
State or Doug Knox's
XP Security Console (google it) for options.

But it could be done by assigning the users to
user groups, could it not? Some admin, some power
users, etc.? Admins will have access to all, and
others limited as the programmer prefers, right?

What do you mean by "AD"?

Twayne

 

[Lanwench [MVP - Exchange]]

But it could be done by assigning the users to
user groups, could it not? Some admin, some power
users, etc.? Admins will have access to all, and
others limited as the programmer prefers, right?

What do you mean by "AD"?

Twayne

AD = Active Directory.

Without AD in use, you can't use policies unless you want them to affect all
users per machine - group membership has nothing to do with it. The word
"group" in "group policy" frequently confuses people

 

[yba02]

AD stands for Active Directory, a Windows server infrastructure where a
collection of PCs and servers are controlled from a single point.

As a matter of fact Lanwench, I should have posted this inquiry in Windows
Server group, as I was actually talking about AD environment.
With AD in effect, how to do that? I tried it on a member server's GP but
it did not allow for user groups exclusions. Do I have to do it on the DC
domain policy management console?

Thanks
Yahya

 

[Lanwench [MVP - Exchange]]

AD stands for Active Directory, a Windows server infrastructure where
a collection of PCs and servers are controlled from a single point.

As a matter of fact Lanwench, I should have posted this inquiry in
Windows Server group, as I was actually talking about AD environment.
With AD in effect, how to do that? I tried it on a member server's
GP but it did not allow for user groups exclusions. Do I have to do
it on the DC domain policy management console?

You can edit domain policies from a member server (or a workstation, even)
if you're using an account with sufficient permissions - I'd use GPMC.

You can use the "deny" checkbox in "apply group policy" for stuff that
shouldn't apply to administrators. That would be useful if you had, say, a
Terminal Server or kiosk machine, and had policies linked to its OU with
loopback processing enabled - so that all users would get the same settings
on that box.

Or, if this isn't a Terminal Services or kiosk box, it would be better to
put your users & computers in different OUs, so that you can link a "user"
policy to your domain user OU (or department OU or whatnot), and it wouldn't
affect your administrators.

 

[yba02]

Hi,
Doing that was excellent. However, I faced a little problem that needs some
workaround.
The TS I want to dispense to users has 2 drives, to which I want to prevent
access. However, I still have to offer the users a shared folder on either
drive. I'm still scratching my head till now.

Thanks
Yahya

 

[Lanwench [MVP - Exchange]]

Hi,
Doing that was excellent. However, I faced a little problem that
needs some workaround.
The TS I want to dispense to users has 2 drives, to which I want to
prevent access. However, I still have to offer the users a shared
folder on either drive.

I'm not sure what that means. Why would you have any data on the TS box
anyway? Your data should be on a file server - the TS box should be nothing
but a terminal server, with no other roles on the network.

 

[yba02]

Hi,
There an application on the TS box. Using Citrix, that application is
published to users. Because it is the sole window to the outside world, I see
no other way of publishing a shared folder on that same box. Also, if we
neglect that application, I need to make sure that users will never be able
to tamper with content of OS folders and files.

I'm grateful to your contribution and would like to hear your suggestions on
how to perform that.

Thanks
Yahya

 

[Lanwench [MVP - Exchange]]

Hi,
There an application on the TS box. Using Citrix, that application is
published to users. Because it is the sole window to the outside
world, I see no other way of publishing a shared folder on that same
box.

What's in the shared folder that the users need, and why does it make a
difference if it's on the same server or is a network drive visible to the
users within the application? I don't know Citrix, but I'm puzzled.

Also, if we neglect that application, I need to make sure that
users will never be able to tamper with content of OS folders and
files.

I suggest you post this in m.p.windows.terminal_services for the most help.

Basics: you should be running Terminal Services on a dedicated member server
with *no* other roles on the network. It should be set up in its own OU,
with a policy specifically for TS (including loopback processing so that all
users who log in get the same settings, regardless of their own inherited
user policy settings).

See KB 278295 for some good lockdown suggestions. Also see MVP Patrick
Rouse's articles at http://www.sessioncomputing.com/articles.htm

 

[Yba]

Thanks
Your input was valueable and highly appreciated.

Regards
Yahya

 

[Lanwench [MVP - Exchange]]

Thanks
Your input was valueable and highly appreciated.

Regards
Yahya

You're most welcome, and best o' luck.

 

[Lanwench [MVP - Exchange]]

One more thing, if you may please.
I have the problem almost sorted out. I have done what you have
suggested and published a network share (mapped drive to the TS box)
and restricted access to all local drives. This seems to work fine.
However, I faced a new unexpected problem.
That mapped drive shows only if a domain admins logs in. Domain
users can't see it.
If this happens to be a Microsoft situation, any ideas on how to fix
it please?

Thanks
Yahya

Did you set up a policy & explicitly deny it to Administrators? you should.
Your users need to use a login script - are they?
I do think the TS newsgroup is where you should post - maybe also crosspost
to the m.p.windows.group_policy folks.