Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
group policies 5
- Thread starter terry712
- Start date
-
3
- #2
oh yea, policies are kinda confusing at first. Just need to remember, it's M$ not Novell making it hurt for you. In either network enviroment, you have to do similar.
Pick a location on your network that all users will have access to. A public place they all can read and filescan, but nothing else. Then create sub directories for each of the different policies you want to create. Like at the location I am in now, I have a ZEN_VOL
olicies storage location. In this storage location I have XP_SuperUser, 2K_Superuser, XP_CommonUser, 2K_CommonUser, XP_RestrictedUser, & 2K_RestrictedUser (similar for workstation policies). Now in the NDS object when I go into the Group Policy properties, I tell it were the location is, then go to edit it. ConsoleOne will copy the correct ADM files to the directory and bring up MMC for you to edit them in.
Word of caution:
You MUST use the OS you plan to use the policy on to setup the policy. So if the policy will be used on XP workstations, you will use an XP workstation to create the policy. Same goes for 2K, NT, & 9x.
DO NOT use your own production PC to create the policy. You could shoot your self in the foot. As you create the policy, you will notice that it affect the PC you create it on. Now when you close MMC, the policy gets removed, but I have had times when it didn't. Really sucks when you have to get your job done and a policy has locked down your PC preventing you from doing your job. I personally use VMWare sessions to create my policies in (nice revert feature recovers the workstation very quick if I lock my self out building a policy).
Be sure to create the SuperUser policy FIRST. You need somthing that will unlock any security policy you play with. Noce to be sure when you log into a PC it won't be locked down.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case![[hippy]](/data/assets/smilies/hippy.gif "[hippy] [hippy]")
Senior Network Engineer
Pick a location on your network that all users will have access to. A public place they all can read and filescan, but nothing else. Then create sub directories for each of the different policies you want to create. Like at the location I am in now, I have a ZEN_VOL
olicies storage location. In this storage location I have XP_SuperUser, 2K_Superuser, XP_CommonUser, 2K_CommonUser, XP_RestrictedUser, & 2K_RestrictedUser (similar for workstation policies). Now in the NDS object when I go into the Group Policy properties, I tell it were the location is, then go to edit it. ConsoleOne will copy the correct ADM files to the directory and bring up MMC for you to edit them in.Word of caution:
You MUST use the OS you plan to use the policy on to setup the policy. So if the policy will be used on XP workstations, you will use an XP workstation to create the policy. Same goes for 2K, NT, & 9x.
DO NOT use your own production PC to create the policy. You could shoot your self in the foot. As you create the policy, you will notice that it affect the PC you create it on. Now when you close MMC, the policy gets removed, but I have had times when it didn't. Really sucks when you have to get your job done and a policy has locked down your PC preventing you from doing your job. I personally use VMWare sessions to create my policies in (nice revert feature recovers the workstation very quick if I lock my self out building a policy).
Be sure to create the SuperUser policy FIRST. You need somthing that will unlock any security policy you play with. Noce to be sure when you log into a PC it won't be locked down.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case
Senior Network Engineer
-
2
- #3
marvhuffaker
MIS
As always Brent, a quality post...
For years I have been hoping that Novell would put these kinds of explanations in their documentation. But they don't.
I would like to expand on your Superuser policy though... Make your superuser policy so that it actually removes any restrictions you've put in place.. Mirror your restrictive policies, if you will.. for example, if you ENABLE the 'Remove Run command', make sure you set DISABLE 'remove run command' in your superuser policy. Don't just create an empty SuperUser policy with the defaults. That won't help you out any because the 'not configured' setting won't make any change to whatever restriction is currently in place.
Marvin Huffaker, MCNE
For years I have been hoping that Novell would put these kinds of explanations in their documentation. But they don't.
I would like to expand on your Superuser policy though... Make your superuser policy so that it actually removes any restrictions you've put in place.. Mirror your restrictive policies, if you will.. for example, if you ENABLE the 'Remove Run command', make sure you set DISABLE 'remove run command' in your superuser policy. Don't just create an empty SuperUser policy with the defaults. That won't help you out any because the 'not configured' setting won't make any change to whatever restriction is currently in place.
Marvin Huffaker, MCNE
- Thread starter
- #4
oh the joys
thanks for post
hopefully i should be doing these soon - afraid it's a weird app thats on the box and just got that to work logged in as a pleb
going to do the tie down next and then try the printing nightmare
citrix is just so much hassle eh
thanks for post
hopefully i should be doing these soon - afraid it's a weird app thats on the box and just got that to work logged in as a pleb
going to do the tie down next and then try the printing nightmare
citrix is just so much hassle eh
- Status
Similar threads
- Locked
- Question