Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
group policy 2
- Thread starter A15
- Start date
thebassplayer
MIS
you can use poledit to restrict what the users can do and run.
thebassplayer (MCSE, MCT)
thebassplayer (MCSE, MCT)
-
1
- #4
TekTippy4U
Technical User
Here's a cut and paste of my Own post from an earlier
thread
To use poledit.exe (System Policy Editor) correctly.......you need to make sure that these three files are in the C:\WINDOWS\INF folder (not a subfolder beneath it)....
1. Poledit.inf
2. Windows.adm
3. Common.adm
If after that, you are still having trouble.....try installing Group Policies(Grouppol.dll),(you'll probably need this if you have User Profiles enabled) which you may be prompted for from the Win98 CD....to do this....
Go to Control Panel>Add/Remove Programs>Windows Setup Tab>System Tools and select the checkbox for "Group Policies"....click OK and then OK again..
The Grouppol.dll file should be in your C:\WINDOWS\SYSTEM Directory,..and Grouppol.inf in the C:\WINDOWS\INF directory
Peace
TekTippy4U
This next excerpt is taken right from the poledit.txt file on Win98 CD-ROM :
To install this tool on your local hard disk,
or to install support for group policies,
use the Add/Remove Programs option in Control Panel, select the Windows Setup tab, click the Have Disk button, and install from the TOOLS\RESKIT\NETADMIN\POLEDIT directory located on the install media.
Also find these files "Poledit.hlp" and "Win98rk.hlp" on the Win98 CD in.... D:\tools\reskit\help....where < D: > is your CD drive..
TekTippy4U
thread
To use poledit.exe (System Policy Editor) correctly.......you need to make sure that these three files are in the C:\WINDOWS\INF folder (not a subfolder beneath it)....
1. Poledit.inf
2. Windows.adm
3. Common.adm
If after that, you are still having trouble.....try installing Group Policies(Grouppol.dll),(you'll probably need this if you have User Profiles enabled) which you may be prompted for from the Win98 CD....to do this....
Go to Control Panel>Add/Remove Programs>Windows Setup Tab>System Tools and select the checkbox for "Group Policies"....click OK and then OK again..
The Grouppol.dll file should be in your C:\WINDOWS\SYSTEM Directory,..and Grouppol.inf in the C:\WINDOWS\INF directory
Peace
TekTippy4U
This next excerpt is taken right from the poledit.txt file on Win98 CD-ROM :
To install this tool on your local hard disk,
or to install support for group policies,
use the Add/Remove Programs option in Control Panel, select the Windows Setup tab, click the Have Disk button, and install from the TOOLS\RESKIT\NETADMIN\POLEDIT directory located on the install media.
Also find these files "Poledit.hlp" and "Win98rk.hlp" on the Win98 CD in.... D:\tools\reskit\help....where < D: > is your CD drive..
TekTippy4U
TekTippy4U
Technical User
After Rereading your post..I was a little hasty and realize that you should probably install "Sytem Policy Editor" on the NT Servers...thereby eliminating 25 more installations....and it's more effective use of security....
The actual files needed for "System Policy Editor" are on the Win98 CD.....don't know about NT....as I have the Win 98 Resource Kit w/CD-ROM and the OEM Win98 CD...
The Win 98 Resource kit has it's own directories for these files,....along with many other tools......but I've scanned and read those help files on my OEM Win98 CD and know that they're where I said in last post........
My concern in this post has to do with WHERE you install the Policy files for ease of use, editing, and adm. security...
Here's just a little snip-it of info available.....
You can use either system policies or mandatory user profiles to enforce user settings. In certain situations, it may be desirable to use *BOTH*.... system policies.... AND..... mandatory user profiles. The two features differ in the following ways:
System policies let you mandate user-specific and computer-specific settings. Mandatory user profiles let you mandate only user-specific settings.
System policies let you selectively determine a subset of user settings to control, and each user controls the remaining settings.
Mandatory user profiles always control every user-specific setting
You can have Windows 98 copy system policies from the network either manually or automatically. If you want to copy system policies automatically, Windows 98 locates the system policy file (Config.pol) in the proper directory on the network(adm. computer) and downloads its policy settings into the registry of the local computer when the user logs on.
The Config.pol file NEEDS to be made on the Client machine(Win98)......more in the help files....
If you want to copy system policies manually, Windows 98 copies the system policy file from a location you specify. Automatic downloading works only if the file name for the system policy file is Config.pol.
I took this next section right from the "Win98rk.hlp" file.....as referred to in my last posting
(((((If you want to use system policies, you must perform the following preliminary steps:
On the administrator’s computer, install System Policy Editor from the \TOOLS\RESKIT\NETADMIN\POLEDIT directory on the Windows 98 compact disc. Decide which users can install and have access to this tool for modifying policies.
**For most client computers, you probably will not install System Policy Editor.**
See Installing System Policy Editor
On the client computers, "enable user profiles" to ensure full support for system policies.
If user profiles are not enabled, only the computer settings in any system policy will be written to the Registry.
See Enabling User Profiles
Install support for group policies on the client computers if your site will use these.
See Installing Group Policies.
The system policy entries you set through System Policy Editor are reflected in the policy file (config.pol), which overwrites default user.dat and system.dat settings in the Registry when the user logs on.
Overview of Windows 98 Resource Kit Sampler Tools © Microsoft Corporation 1985 - 1998))))))))
There's way too much more info....as it'll take up too much space here...and so have I already....:>)
Read the help files....it's all there...
Good Luck
The actual files needed for "System Policy Editor" are on the Win98 CD.....don't know about NT....as I have the Win 98 Resource Kit w/CD-ROM and the OEM Win98 CD...
The Win 98 Resource kit has it's own directories for these files,....along with many other tools......but I've scanned and read those help files on my OEM Win98 CD and know that they're where I said in last post........
My concern in this post has to do with WHERE you install the Policy files for ease of use, editing, and adm. security...
Here's just a little snip-it of info available.....
You can use either system policies or mandatory user profiles to enforce user settings. In certain situations, it may be desirable to use *BOTH*.... system policies.... AND..... mandatory user profiles. The two features differ in the following ways:
System policies let you mandate user-specific and computer-specific settings. Mandatory user profiles let you mandate only user-specific settings.
System policies let you selectively determine a subset of user settings to control, and each user controls the remaining settings.
Mandatory user profiles always control every user-specific setting
You can have Windows 98 copy system policies from the network either manually or automatically. If you want to copy system policies automatically, Windows 98 locates the system policy file (Config.pol) in the proper directory on the network(adm. computer) and downloads its policy settings into the registry of the local computer when the user logs on.
The Config.pol file NEEDS to be made on the Client machine(Win98)......more in the help files....
If you want to copy system policies manually, Windows 98 copies the system policy file from a location you specify. Automatic downloading works only if the file name for the system policy file is Config.pol.
I took this next section right from the "Win98rk.hlp" file.....as referred to in my last posting
(((((If you want to use system policies, you must perform the following preliminary steps:
On the administrator’s computer, install System Policy Editor from the \TOOLS\RESKIT\NETADMIN\POLEDIT directory on the Windows 98 compact disc. Decide which users can install and have access to this tool for modifying policies.
**For most client computers, you probably will not install System Policy Editor.**
See Installing System Policy Editor
On the client computers, "enable user profiles" to ensure full support for system policies.
If user profiles are not enabled, only the computer settings in any system policy will be written to the Registry.
See Enabling User Profiles
Install support for group policies on the client computers if your site will use these.
See Installing Group Policies.
The system policy entries you set through System Policy Editor are reflected in the policy file (config.pol), which overwrites default user.dat and system.dat settings in the Registry when the user logs on.
Overview of Windows 98 Resource Kit Sampler Tools © Microsoft Corporation 1985 - 1998))))))))
There's way too much more info....as it'll take up too much space here...and so have I already....:>)
Read the help files....it's all there...
Good Luck
- Thread starter
- #6
Thanks for all the help.
I have been playing with the group policy editor and my question is:
Do I have to set the rights for every singl computer or is there a way that I can configure a singl policy that will be applied to everyone that logs to the domain.(on their local win98 client).
Thanx
I have been playing with the group policy editor and my question is:
Do I have to set the rights for every singl computer or is there a way that I can configure a singl policy that will be applied to everyone that logs to the domain.(on their local win98 client).
Thanx
A15 - did you look at that link I posted?
With an NT domain you can set domainwide policies. You need to use the 98 poledit.exe (install from the 98 CD)file to create a policy file (ie, with restrictions for users/groups/machines specified). You can do this on one 98 machine. Save it as config.pol. Then copy it to the netlogon share on the NT server (\WINNT\system32\Repl\Import\Scripts\). Policies will then apply to win9x/ME users logging on to the domain (NT/2k/XP users pick up policies from ntconfig.pol, created using NT's poledit.exe).
PS. I'm a bit confused by reference to Group Policy Editor (usually 2k/XP) - NT/9x usually refers to just Policy Editor.
With an NT domain you can set domainwide policies. You need to use the 98 poledit.exe (install from the 98 CD)file to create a policy file (ie, with restrictions for users/groups/machines specified). You can do this on one 98 machine. Save it as config.pol. Then copy it to the netlogon share on the NT server (\WINNT\system32\Repl\Import\Scripts\). Policies will then apply to win9x/ME users logging on to the domain (NT/2k/XP users pick up policies from ntconfig.pol, created using NT's poledit.exe).
PS. I'm a bit confused by reference to Group Policy Editor (usually 2k/XP) - NT/9x usually refers to just Policy Editor.
TekTippy4U
Technical User
Wolluf is right, as I was away from the list for awhile......and like I said it's "All" in those help files..
...
I believe, you(as Adm only) can even use a text editor.....to modify the config.pol file....
Policy editor works on 9x/me machines because it
overwrites default user.dat and system.dat settings in the Registry when the user logs on.
I also believe you do need to enable
USER PROFILES and GROUP POLICIES on user machines
as I said earlier......
...
I believe, you(as Adm only) can even use a text editor.....to modify the config.pol file....
Policy editor works on 9x/me machines because it
overwrites default user.dat and system.dat settings in the Registry when the user logs on.
I also believe you do need to enable
USER PROFILES and GROUP POLICIES on user machines
as I said earlier......
TekTippy4U
Technical User
Hey Wolluf;
Great Link.......loaded with info.....I couldn't find this for this orig. post-er....plus I missed it myself.....Duh!!
In trying to keep my posts shorter(nevermind the typing...ugh!).....I looked, but to no avail, for a link....... so, needless to say, I had a lot of typing
to do
thanks much
TT4U
Great Link.......loaded with info.....I couldn't find this for this orig. post-er....plus I missed it myself.....Duh!!
In trying to keep my posts shorter(nevermind the typing...ugh!).....I looked, but to no avail, for a link....... so, needless to say, I had a lot of typing
to do
thanks much
TT4U
- Thread starter
- #10
TekTippy4U
Technical User
Here's some info that may help and guide you....
Group policies are supported for both Windows NT and NetWare networks. Creating policies for groups is similar to creating policies for users or computers.
You must first make sure that Grouppol.dll, which supports group policies, has been successfully installed on each client computer. For more information, see “Installing System Policy Editor” earlier in this chapter.
You cannot create new groups by using System Policy Editor; you can use only existing groups on the NetWare or Windows NT network. To create a new group, use the tools provided with your network administrative software.
To create system policies for groups
In System Policy Editor, click the Edit menu, and then click Add Group.
Type the name of the group you want to add, and then click OK.
– Or –
If user-level security is enabled, click Browse, click the name of the group you want, and then click OK.
Select or clear policies by clicking the policy name.
Group policies are downloaded starting with the lowest-priority group and ending with the highest-priority group. All groups are processed. The group with the highest priority is processed last so that any of the settings in that group’s policy file supersede those in lower-priority groups. You can use one policy file for each group, even if some of the client computers in the group do not have support installed for group policies. Client computers that are not configured for using group policies will ignore group policy files.
Important
If a policy exists for a specific named user, group policies are not applied to that user.
To set priority levels for groups
In System Policy Editor, click the File menu, and then click Open File.
Locate the Config.pol file, and then click Open.
On the Options menu, click Group Priority.
In the Group Priority dialog box, click on a group name, and then use Move Up and Move Down to move it into its relative priority.
Group policies are supported for both Windows NT and NetWare networks. Creating policies for groups is similar to creating policies for users or computers.
You must first make sure that Grouppol.dll, which supports group policies, has been successfully installed on each client computer. For more information, see “Installing System Policy Editor” earlier in this chapter.
You cannot create new groups by using System Policy Editor; you can use only existing groups on the NetWare or Windows NT network. To create a new group, use the tools provided with your network administrative software.
To create system policies for groups
In System Policy Editor, click the Edit menu, and then click Add Group.
Type the name of the group you want to add, and then click OK.
– Or –
If user-level security is enabled, click Browse, click the name of the group you want, and then click OK.
Select or clear policies by clicking the policy name.
Group policies are downloaded starting with the lowest-priority group and ending with the highest-priority group. All groups are processed. The group with the highest priority is processed last so that any of the settings in that group’s policy file supersede those in lower-priority groups. You can use one policy file for each group, even if some of the client computers in the group do not have support installed for group policies. Client computers that are not configured for using group policies will ignore group policy files.
Important
If a policy exists for a specific named user, group policies are not applied to that user.
To set priority levels for groups
In System Policy Editor, click the File menu, and then click Open File.
Locate the Config.pol file, and then click Open.
On the Options menu, click Group Priority.
In the Group Priority dialog box, click on a group name, and then use Move Up and Move Down to move it into its relative priority.
great posts, will use these on my return to work
I have 120 xp machines on server 2000 and wish to use some old win 95 / 98 machines with single user logons ( for use in study areas ie library etc) I have set up auto logon and was looking for a way to lock them down. this seems to be the answer I was looking for.
Cheers
Some lead, some follow....I just Hope!
I have 120 xp machines on server 2000 and wish to use some old win 95 / 98 machines with single user logons ( for use in study areas ie library etc) I have set up auto logon and was looking for a way to lock them down. this seems to be the answer I was looking for.
Cheers
Some lead, some follow....I just Hope!
-
1
- #16
system policies are easier and you can prevent the "esc" if you buy the O'Reilly Book and follow the examples...
used copies from $2.92 plus shipping...
don't forget to make backups before attempting anything that affects the registry...
JTB
Senior Microsoft Consultant
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSE-W2K in progress)
used copies from $2.92 plus shipping...
don't forget to make backups before attempting anything that affects the registry...
JTB
Senior Microsoft Consultant
MCSE-NT4, MCP+I, MCP-W2K, CCNA, CCDA,
CTE, MCIWD, i-Net+, Network+
(MCSE-W2K in progress)
TekTippy4U
Technical User
itsfisko;
Have a look here;
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
Have a look here;
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
The auto-logon does just that - the logon box does flash up, but with username/password completed and greyed out.
Obviously if they know about tweakui (or the registry keys it updates) they could reverse this (hint, remove the tweakui control panel icon).
How adept are your users? (because 98 is NOT a secure system - so whatever you do - policy editor included - someone with know how can circumvent).
Would also like someone to explain how using policy editor is going to answer itsfisko's question:-
'However can I force the one user to logon without giving them the option to see the logon screen?'
Obviously if they know about tweakui (or the registry keys it updates) they could reverse this (hint, remove the tweakui control panel icon).
How adept are your users? (because 98 is NOT a secure system - so whatever you do - policy editor included - someone with know how can circumvent).
Would also like someone to explain how using policy editor is going to answer itsfisko's question:-
'However can I force the one user to logon without giving them the option to see the logon screen?'
TekTippy4U
Technical User
Wolluf;
In combination with TweakUI....you just disable access to the REG, Control Panel and anything else....
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
In combination with TweakUI....you just disable access to the REG, Control Panel and anything else....
TT4U
Notification:
These are just "my" thoughts....and should be carefully measured against other opinions.
Backup All Important Data/Docs..All involved shall be spared the grief.
- Status
Similar threads
- Locked
- Question
- Locked
- Question