Group Policy Question 1

[HessA]

Do all group policies work with Win2K. Is there something I can look up and read what might not be supported by 2K workstations in Group Policies. I've blocked out IM programs mostly successfully on my network but it doesn't seem to be taking on the Win2K boxes.

Thanks,

Aaron

 

[aftertaf]

http://www.microsoft.com/downloads/...c0-19b9-4acc-b5be-9b7dab13108e&DisplayLang=en

http://www.tek-tips.com/viewthread.cfm?qid=1044012&page=1

these links point to same thing, a full excel file on GPO and different OS version compatibility

Aftertaf

"Solutions are not the answer." - Richard Nixon

 

[HessA]

Rock on thanks Aftertaf. I probably would have found it sooner or later with google but you saved me time thanks a ton.

Aaron

 

[aftertaf]

no probs..
useful little doc to have handy ;-)

Aftertaf

"Solutions are not the answer." - Richard Nixon

 

[PuzzledUNIX]

Here is a bad news for you; You can not block completely your IM programs with only using the group policy.

Sam,

 

[markdmac]

I have to disagree with PuzzledUNIX,

You can effectively block IM programs IF you do a little leg work.

There is a group policy setting to block a named EXE file. So if you gather up a list of all the EXE names for Yahoo, AOL, Microsoft etc you can add those exe names to the list and block them. Cool thing about that too is that the EXE's themselves have their name encoded, so even if a user were to try and rename the file, the exe knows what its name is supposed to be and that is what it reports to the system.

I hope you find this post helpful.

Regards,

Mark

 

[PuzzledUNIX]

The hashing policy (which you mentioned)is working if path for excutables is the same. The tricks which savy user do is , they can install this little IM apps in My Documents folder without having Admin Rights and run it within.

Regards,
Sam.

 

[PuzzledUNIX]

Hey Mark, read this also from different thread:

shughesPB (IS/IT--Manageme) 30 Apr 05 0:03
I have the same problem with one user in particular that likes finding ways around OU policies. So far it’s a weekly thing to keep adding things to the disallowed list of programs he can’t run. You can block one program and he goes download a similar program to accomplish what he wants. I could simply block his downloads but he needs that function to perform his job. It has turned into a battle with him vs. me to see if I "can" stop him. The bad part is he is computer savvy and knows how everything works. Lol

I blocked windows installer but unfortunately not all programs need windows installer to install. He figured out that he can edit the registry to allow the things he wanted to do and so what do I do? I blocked his access to the registry and he downloads a freeware program that lets him edit his registry. Once I get caught up on all the things I need to do I am going to reverse my philosophy and instead of adding things he can’t run to the OU I am going to change to use the allowed programs and restrict it that way, but that will be a huge task because I don’t know everything that he has to have to perform his job. (his fault for testing me. )

I get some help with management on the problem but not enough. I will tell them that he is causing a problem with the policies they want enforced and let them know what he does but they simply say well delete the program or block it but they have yet to say something to him about his actions. In the end he is doing nothing but making it harder on himself because the more he goes around the tighter I have to go with the restrictions. He is going to end up not being able to do anything at all because if I have to I will block his Internet access to everything but the sites he needs to get to so he can download his daily files.

 

[aftertaf]

when people ask for it in sucah a way, you can effectively hammer them flat with heavy restrictions, just leaving them barely enough to do their work.

but they ask for it!

Aftertaf

"Solutions are not the answer." - Richard Nixon

 

[BuffaloTom]

I have a very neat way to lock down an individual. As long as they are saving there information to the network, use a product from Faronics called "deepfreeze." This program creates an small image and starts up with that image on every shutdown and startup. What's the impact, if he wants to reinstall, reconfigure or screw around..like format c....soon as the machine reboots...its back to original state, he got to start from scratch. And if he leaves machine on all the time, you can have deepfreeze reboot automatically in the middle of the night. And you can put deepfreeze in mait mode, keyboard lock and do windows and virus updates. Then just police his user folders.

 

[HessA]

If I had a user like that Puzzle he'd show up one morning and he wouldn't have a PC. His Supervisor/Manager would have to go to the CIO to ask for the PC back. Or even better replace the machine with the lowest possible hardware config to run the apps he used no matter what they were. I don't play with my users. If they try to work around something I put in place. I lock them out. Then they have to explain to their boss why they get locked out 3 times a day.

Aaron