Group Policy

[secutanudu]

I have a couple of questions about group policy.

#1 - This is a very basic question. Is group policy simply a front end for the registry? Is every setting made in group policy accesssible directly through the registry?

#2 - Let's say we want to take administrative access away from our users, but still give them rights to install software. Would we want to take them out of the administrators group and then give them insall rights with group policy? Is this possible? Or would we leave them in the administrators (or power users) group and take away the rights we do not want them to have?

#3 - I think this may have been answered somewhere in the forums but i cant find it. Is there a way to export group policy entries on one pc and then import on another, so the same work does nto need to be repeated over and over (this is for local group policy, not in active directory).

Thanks,
Andrew

 

[mwiner]

#1: In short. Yes. Now not every setting is directly accessible through registry because the policy may be to put a file somewhere on logon, etc. But pretty much the changes that group policies makes are in HKEY_Current_User for User policies and HKEY_Local_Machine for machine policies.

Group policies just gives you the ability to do this on a much bigger scale centrally managed.

#2: This is a nightmare for admins. Removing admin priv. for users and letting them install an application do not mix. If you want nothing but headaches then I suggest you go one way or another.

We create an exempt policy that allows users to be local admins to their machine only if they need to be. But otherwise all users have restriceted access and do not have local admin priv.

#3: sorry I cannot help you here. I dunno. I would say yes, but I am not sure how.

 

[AlaskanDream]

Of course each business environment is different. I would agree with mwiner. We rarely give users the ability to add/remove programs because of the headaches it creates.

One nice thing about group policy is it's ability to be used to push out software to local machines rather than have end users' doing this and admins not walking around to every workstation and doing this. It would be well worth your time and efforts to research this option to see if it fits well with what you are trying to do.

 

[bazzert]

If you create MSI files of apps then users can install the app even if they don't have admin rights. MSI files grant temp admin rights to install app.

Form what I recall you can publish a list of apps that the users see when they login and then click the app to install.

Sorry if this is a bit vauge was a module in the MCSA stuff I did some time ago

 

[secutanudu]

I think software publishing through AD is the obvious way to go. Does anyone know a good program that will easily package up apps into MSI packages? I tried the demo of wise installer and it was very confusing. Anything you guys could recommend?

Thanks.

 

[aftertaf]

you've got one on your windows cd....

third party support tools.
got a silly unrememberable name, but ends up being veritas Win LE once installed.
snapshots a system 'before' and 'after' and makes an msi from what it discovers.

worth a try...
and alternative is to make a zap file... works for winzip


Aftertaf
if its not broken, fix it anyway - with luck you might break it and have an excuse

 

[bofhrevenge2]

For number 3 you might want to read this FAQ it may help you.
faq779-5596