Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

LGPO On Windows XP Pro

Status
Not open for further replies.

KingE

MIS
Nov 4, 2002
39
US
If I create a local group policy object on a windows XP Pro workstation and set it how I need the machine to operate, how can I replicate this to other workstation machines?
is it possible to copy either the Group Policy directory over or just the gpt.ini file to another machine or is it a little more complicated than that.

We do not run Active Directory or have an active NT 4.0 domain but we need to implement security on a number of XP workstations.

KingE

MCP, MCSE-NT4.0, MCSA, MCSE W2k (soon)
 
I'm not an expert but isn't it just a file that gets read when you login? Like groupol.pol or something? I know that all Domain PC's look for this in a general place when they login and you can change this to point somewhere else. Why not copy the file locally and point to it there?

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)
 
Jontmke,

Your instincts are fine, but a workgroup has some limits.

A workgroup does not have the "push" facilities that a Domain Admin can use.

So you are stuck using essentially remote tools to add to user logon scripts for policies, or setting up things very thorougly from the start.

You can do a lot with remote registry administration, and control over the user logon process. But a domain makes life a lot easier if you need to "push" a change.


 
An Active Directory is being installed but the desktops are being upgraded first and I need a semi secure way to lock these down so end users don't run wild. Currently they log in to a Novel 4.0 tree and use the free version of zenworks (2.0) but this is not compatible with XP. Once AD is in place the whole process will be domain GPO's but until then I need to find a way to use the local group policy without redoing it 'x' number of times for each workstation. Is it possible to use a template file? if I am unable to copy the ini file from one machine to the next?

KingE

MCP, MCSE-NT4.0
 
bcastner,

I am not wanting to do the push changes until full AD. I just want a policy that will prevent installs, messenger etc so I can have a usable and secure workstation without all the home user add ons

KingE

MCP, MCSE-NT4.0
 
I see little way to do this without being the local Admin at each machine if the changes are not possible through remote registry access.

Messenger you can kill with a remote registry change. Installs and general security are more difficult in a workgroup setting.

Let me do some research, it is a very good question. I suspect you will still require local access, but there should be a quick way having that as local Admin to apply GPO templates, as a template import, rather than going through the process by hand.

I invite all to contribute. My only thought at present is to setup the default user, and remove existing profiles. The new logon by a user would then follow the default profile. This I think even in a workgroup setting could be done remotely.


And a possibility to implement now, and preserve under your AD Domain:
 
Ok, I have found what I was referring to. In the old Policy Editor there is a setting in Network called Remote Update where you can set where the computer looks for policy files. It normally is left as default which is the Netlogon share on the server. ( Which you can use in Novell and Zenworks also.) But in that policy setting you can have it look any where you want for the policy file, which is called ntconfig.pol. So, in theory you can set up all the polcies you want, save it as ntconfig.pol and put it where the PC's can see it. Then you just change the one file and you get global updates.

Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)
 
thanks Jontmke, quick questions though. How do I tell the machine to find and use the ntconfig.pol if it is in a workgroup? and the XP LGPO are more detailed than the poledit policies and so is there a way I can import some of these settings?

KingE

KingE

MCP, MCSE-NT4.0
 
I found this at Microsoft:
Microsoft Knowledge Base Article - 274478
To edit the LGPO and to configure Local Group Policy settings on a local computer, and then to distribute to other computers, you need to perform the following steps:
At the client requiring the policy settings, log on as an administrator and run the Group Policy snap-in (the Gpedit.msc file). Then focus the Group Policy snap-in on the Local Group Policy of the client.
Configure the LGPO on the client.
Edit and configure the policy settings you require.
Take the entries found in the Local Group Policy Object which are stored in the %Systemroot%\System32\GroupPolicy folder, and then copy them to other clients where you also want to apply these Local Group Policy settings.

NOTE: The settings under User Configuration can normally take effect the next time the user logs on and the settings under Computer Configuration can normally take effect when you restart your system.
It may be necesary to edit the %systemroot%\system32\grouppolicy\gpt.ini and change the version entry so that the policy gets applied.


Jon

There is much pleasure to be gained from useless knowledge. (Bertrand Russell)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top