Question about Group Policies in XP.

[Guest]

I'm not an expert with group policies but would like to use it more. I'm
trying to set up five machines with a local group policy but have screwed up
two machines already by not being able to get gpedit.msc because I set the
sample user configuration policy up has the user account (user account has
administrator rights) but in doing so the policies also affected the
administrator account so I'm on my third machine. I accidentally set both
local computer and user policies (didn't know I just had to use user
configuration) Does anyone have links to any proper information or
instruction on how to group policy? We're tired of using Fortres desktop
security.

 

[Nepatsfan]

You might want to take a look here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Here's another tool you might want to consider:

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

 

[Guest]

Thanks for your help.

You might want to take a look here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Here's another tool you might want to consider:

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

 

[Guest]

One thing that really screwed me up was setting the c: drive to be hidden and
taking the Run command off the start menu. I'd like to include these
policies under the user account but if I have to set these policies up
logged in has administrator I won't be able to get back to the c: drive or
c:\windows\system32\gpedit.msc. How can I do this so I can set these
policies? Should I give the user account administrator rights then set the
policies then take the admin right away and login again has the user account?
That's what screwed me up initially.

 

[Nepatsfan]

What exactly do you mean by "setting the c: drive to be hidden"?
How did you go about hiding it? You can remove the Run command
from the start menu easily enough but restricting access to a
drive could (as you've already seen) have unintended
consequences. Have you considered using NTFS permissions to
restrict user access?

 

[Guest]

There is an option under both Computer configuration and User configuration
(I don't remember the exact path) but you can hide the c: drive (make it
invisible) or restrict access to it. I haven't considered NTFS permissions
cause I don't know enough about it but I have converted the drives to NTFS.

 

[Guest]

I know about these already. Thanks anyway. Thanks for all your help.

Start | Run | Type: gpedit.msc | OK |

Navigate to >>
User Configuration \ Administrative Templates \ Start Menu and Taskbar
Remove Run menu from Start Menu

[[Removes the Run command from the Start menu and removes the New Task (Run)
command from Task Manager. Also, users with extended keyboards can no longer
display the Run dialog box by pressing the Application key (the key with the
Windows logo)+ R.]]

HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoRun
-----

User Configuration\Administrative Templates\Windows Components\
Windows Explorer\
Hide these specified drives in My Computer

[[Removes the icons representing selected drives from My Computer and
Windows Explorer. Also, the drive letters representing the selected drives
do not appear in the standard Open dialog box.

This policy removes the drive icons. Users can still gain access to drive
contents by using other methods, such as by typing the path to a directory
on the drive in the Map Network Drive dialog box, in the Run dialog box, or
in a command window.]]

HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoDrives
-----

User Configuration\Administrative Templates\Windows Components\
Windows Explorer\
Prevent access to drives from My Computer

[[Prevents users from using My Computer to gain access to the content of
selected drives.

If you enable this policy, users cannot view the contents of the selected
drives in My Computer and Windows Explorer. Also, they cannot use the Run
dialog box, the Map Network Drive dialog box, or the Dir command to view the
directories on these drives.

The icons representing the specified drives still appear in My Computer, but
if users double-click the icons, a message appears explaining that a policy
prevents the action.]]

HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoViewOnDrive

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

There is an option under both Computer configuration and User
configuration (I don't remember the exact path) but you can hide the
c: drive (make it invisible) or restrict access to it. I haven't
considered NTFS permissions cause I don't know enough about it but I
have converted the drives to NTFS.

 

[Nepatsfan]

I did a little experimenting but you're going to have to tweak
this for your needs.

Logon as Administrator.
Right click an open area of your desktop and select New ->
Shortcut.
Enter gpedit.msc.
Hit Next.
Enter a name for this shorcut and select Finish.
This will allow you to access the Local Seurity Policy after
you've hidden the C drive.

Have you enabled any policy settings that remove the Command
Prompt entry from the Start menu? If you have then you'll have to
create a shortcut to cmd.exe as well. That will allow you to
access the Registry.pol file. Follow the instructions outlined in
the Microsoft article I posted earlier and see if you get the
results you want.

Keep in mind that there are other ways of accessing the C drive
besides My Computer or Explorer. I've just given you two examples
of how someone can get around this policy.

Keep us posted.

 

[Guest]

I figured out (with a little help from theeldergeek.com) that after you save
the policy has administrator you have to go to
c:\windows\system32\grouppolicy\ and take away the read permission and choose
deny instead of allow so that the policy doesn't affect the administrator
account. Thanks for all your help.

 

[Nepatsfan]

Glad you found a workaround. Though, it really shouldn't be
necessary to change permissions on that folder. A common mistake
some people make when they go through the procedure outlined in
the MS article (step 10) is to change the settings back to "Not
Configured" instead of Disabled.