Local Policy

[Chad]

I have a few Windows XP Pro workstations that are a
member of our NT 4 domain. We will be migrating to AD
next year, and plan on using group policies. Until then
we would like to "lock down" some XP workstations.

I have tried to setup a local Group policy, but I can't
seem to figure out how to apply the policy to only a
specific user/group on a workstation. Does anyone know of
a good way to lock down an XP workstation in a NT 4
domain environment, while still allowing an admin to log
on without any kind of restrictions?

Thanks in advance,
Chad

 

[Roger Abell]

When in a downlevel domain, XP, like W2k, will pay
attemtion to System Policies. This is the method provided
for centralized policy in such an environment.

When using System Policy, or any other method to obtain
per-user/group policy in this environment, remember that
you will be tattooing the local registy, something that the
true policies in Group Policy does not do. This will leave
you will possible things that will need to be cleaned up
when it comes time to use Group Policy in an uplevel domain.

Local group policy, by design, only applies equally to all
accounts. You can by-pass this by direct registry edits, or
other techniques, but it sound like System Policy is what you
are wanting if there are many machines.

 

[Tim]

Along a very similar vein we have a sprinkling of XP pro workstations in an
NT 4 domain. The ONLY way that end users can install apps is if they are
placed in the power users or better domain group. Win2K boxes which are the
vast majority of our computers don't have this issue. We are not using the
run only allowed apps or anything of that nature. All end users have admin
rights on their own machines (yeah I know its bad but no choice).

Any suggestions?
Tim
tim at digitaltim at com

 

[Roger Abell]

Any suggestions about what ?
To install in XP any category of app they
will need to be admins. That is part of how
XP is designed.

 

[Tim]

Every domain user is in the local admin group on their own laptop/desktop.
However after joining the domain the only way an XP machine user can
install software is to be in the domain group power users or domain admins.
Win2K boxes in the same setup (domain user has local admin rights) do not
exhibit this problem. It has to be something in the way XP is interpreting
NT4 policy which is strange since we don't restrict what apps users can run
at all. I'm stumped.

 

[Roger Abell]

Well, that is strange. There are ways to restrict from
domain somewhat similarly if these were under control
of GPOs, but they are not.

If they use a local account that is an admin then they
can install ? But if they use a domain account that is
a local admin they cannot, at least not unless the domain
account is in domain power users or domain admins.
Most strange - it actually sounds like their domain account
really is not in the local Administrators group, but I have
no doubt that you have checked that a million times already.