W2K User Policies 1

[UkMister]

Hi,

I'm setting up a w2k pc that will be accessed by members of the public. While I want them to access the internet and other various folders on the network, I don't want them to be able to browse the computers on the network.

I am looking at removing the control panel, command prompt and my network places from the desktop. I used to be able to do this quite effectively in NT 4.0
How do I do these things in Windows 2000??

I would also welcome suggestions on other features I should disable

Many Thanks

 

[soundguy]

Hello,

Is the 2k machine on a 2k network with Active directory?

 

[UkMister]

yes it is

 

[soundguy]

Hello,

You can create an organisational unit (OU) on the domain, and move the computers from the COMPUTERS container into the OU, you should also move the users from the USERS container into the OU.

Right mouse click on the OU, and select properties. On the GP tab you can create a new group policy, and set up lots n lots of restrictions etc.

Within the Computer settings section of the group policy, if you dont have the computers account in the OU then the settings you define here will not work. This is why I suggest moving the computers into the OU also.

You can change the default group policy on the domain, right mouse click and select properties of the domain. But this effects all computers and users.

 

[victorv]

hi,
Thanks to soundguy, becouse he has well explained,
click to click, how to deploy such task;
but I disagree about move computers under such OU: why ?

I am sure that if you port just users (and not all)
under an OU and at this is linked a GPO with :

- Hide My Network Place icon from Desktop
- Disable Control Panel
- ....

those users will not see such features.

Give me a feedback pls.

bye

 

[soundguy]

Hi victory,

Changes made to the computer configuration settings within the GP do not take effect unless the computer accounts are in the OU which the GP is assigned to.

It depends if you are to apply restrictions on the computer configurations.

Sorry I should have mentioned this but its optional. Especially usefull if your environment allows the general public access to the computers.

Best Regards

 

[victorv]

OK,

those policy ( hide network icon, disable cp, ..) are under
User tree of policy, and they are applied also if you don't
put computer under OU.

However if the computers are well localized, it's a good
idea put also them under OU to add also Computer Policies
to grant the right security.

bye

 

[UkMister]

Hi,

I have tried out your suggestions but still seem to be having problems getting the policy to be picked up by the user when they log on.

I have created an OU and called it GP1. I moved both the user machine and user object into the OU and configured certain options as you explained. As a test, I am trying to remove the Run command from the Start bar and Network Places from the desktop. When I log back in, the changes haven't been picked up. I have tried logging off and restarting. I have also made sure that the user in question isn't logged on somewhere else just in case this interferes with things.

Any ideas?

Thankyou

 

[soundguy]

Hi,

How fast did you try, my AD has known to be 10-15mins late.

Or have a look at the security settings for the GP.
Check what group the the user is a member of.

Make sure you have Authenticated user checked on the security tab for the GP.

Any changes made in the user config only needs a user to logon, Any changes made in the computer config need a system restart.

Make sure you dont have any other GP setup higher up in tree such as on the domain. If you do then check the options button on the GP.

/regards

 

[victorv]

hi,
probably this morning your command prompt disappears;
right ?

The first time I used policy, the did not go, but the day
after yes.

After I have learned to give, at the client the commands

SECEDIT/REFRESHPOLICY USER_POLICY
or
SECEDIT/REFRESHPOLICY MACHINE_POLICY

and however, take a coffee ... before test it

bye

 

[ahalecitrix]

UKMister,

If you want the GP to apply to all users who log into the PC here is what you can do. Place the PC in the OU. Under the User settings you will find one option called "Loopback Processing". What this does is applies the "User" side settings of the GP to any user who logs into a computer in the OU. This way you can contain the User account in a logical OU within you AD and still have the user policy settings applied to them when they login to the public computer.

Also, soundguy is probrably right. AD can take quite a while to replicate changes. It can be rather frustrating when trying to test things but you can force the replication in Active Directory Sites and Services and also use the command victorv mentioned above to refresh the policy.

SECEDIT/REFRESHPOLICY USER_POLICY
or
SECEDIT/REFRESHPOLICY MACHINE_POLICY

 

[UkMister]

Thakyou all but I am still having problems.

Soundguy, you mentioned security settings and groups. My user just has the default security settings and is a member of the Domain Users group only.

I feel like I am overlooking something simple somewhere.

In the OU I have created, I right click, properties, group policy. There is a 'New Group Policy Object'. This is what I have changed. I also have placed the 'Visitor' user and 'visitor PC' objects into the OU.

How do I find out whether another profile is over riding the one I have just created?

Also, the command to refresh the AD, is this just typed into a command prompt on the server?

Again, thankyou

 

[soundguy]

If the visitor user is a member of the domain users, then check the security button on the GP. It should have Authenticated users in the security allowing read, and apply. But these are taken as default anyhow, so they should be set to this.

Type the SECEDIT command at the prompt on the server.
This forces a refresh.

 

[HbO]

try use this command to update the policy at your client machine

gpupdate /target:computer

 

[UkMister]

Yes, the Visitor user is a member of Domain Users. It also has the right security permissions Read and Apply.

Could it be that the server was not set up properly?

 

[UkMister]

I have also read that I should be using something called MMC (Started from the Run prompt)

It appears that the same sort of options are available through this. Is this the same thing?

 

[soundguy]

What roles does this server have.

DNS/WINS/DHCP etc.

Is DHCP pushing out the IP of the DNS server to the clients, or have you explicitly defined the IP address for the DNS on the client.

Run IPCONFIG/ALL at the command on the client.

Does it know the DNS server?

An MMC is a console used for customising a view for your system tools and admin tools. Its the same.

 

[UkMister]

Erm, very silly question! If I want to hide or remove something, do I check the Enable or Disable box?

 

[soundguy]

OK, Now I know what your problem is....

You want to enable to disable the function.

Another words you are enabling the restriction.

I fell for it also long time ago...

 

[UkMister]

Many many thanks. I will try this out now. I had a feeling it was something simple I was overlooking.

I'll also mark your post with a star because it was very helpful