Solved

poledit & microsoft family login

Posted on 1998-05-10
6
347 Views
Last Modified: 2013-12-16
Is it possible to set up user policies on a stand alone machine using poledit and the microsoft family login service.  The user policies seem to be processed through grouppol.dll in the \windows\system directory.  If I create a .pol file with each of the usernames, set restrictions, and save it in the \windows directory, nothing different happens.  The only changes that seem to work with poledit are those which effect the entire machine regardless of the user.
0
Comment
Question by:ptpovo
  • 4
  • 2
6 Comments
 
LVL 14

Accepted Solution

by:
smeebud earned 100 total points
Comment Utility
Some utilities can handle this much easier and without [FUTURE HEADACHE]
---
"crowd.zip 1.04MB" [Shareware---Well worth it]
Take control of your Windows 95 PC with this utility, which lets you set up separate,
password-protected desktops for multiple users.
http://ftpsearch.ntnu.no/
---------POLEDIT. HOW TO;
Policy Editor

 Customization fiends can use Windows 95's System Policy Editor to
 streamline and organize their desktops.
 -------------------------------------------------------------------
 Windows 95 provides two ways to radically customize your system.
 First, you can set up User Profiles in the Control Panel's
 Passwords applet. This capability is useful for office coworkers
 who share one Windows 95 system because the User Profiles feature
 lets each user customize the Start menu, desktop, screen saver,
 wallpaper, sounds, and even program installations to suit his or
 her taste. When your business partner logs on by typing her name
 and password in a dialog on system start-up, she gets Windows the
 way she wants it. When your assistant logs on, he gets it his way.

 The second way to customize a system is to use the System Policy
 Editor to manage access to critical Windows 95 features and
 functions. With this utility, you can turn off a long list of
 Windows 95 Control Panel settings, devices, interface objects, and
 system-level access points. Although power users might balk at
 eliminating features and functions, you'd be surprised at the
 benefits. Turning off certain Shell items is an excellent way to
 customize the desktop and create a uniform environment for
 networked users. Together, the System Policy Editor and User
 Profiles can create a less complex, more controlled environment
 for some users, while giving experienced users access to all Win
 95 offers.

 Although user profiles come into play mainly when several users
 are sharing one PC, you can create different user profiles to
 customize your own desktop. For instance, you might create one
 desktop configuration for a Windows 95 notebook when it's in the
 office and another for when it's on the road. Instead of naming
 user profiles after people, you'd name them, say, Office and Road.
 You might set the Office profile to a higher resolution than the
 Road profile, which might also include your remote communications
 program.

 HOW TO: CREATE PROFILES To create user profiles, open Control
 Panel's Passwords applet and click on the User Profiles tab.
 Select the radio button beside the "User can customize their
 preferences . . ." description. Place checks beside both options
 in the User Profile Settings box. Then click on OK.

 Windows will want to restart the system at this point, but don't
 let it. It's better if you configure each user right away. To do
 that, choose Shut Down's "Close all programs and log on as a
 different user" option. Then after a few seconds, Windows will
 display the Welcome to Windows dialog familiar to network users.
 Enter the name of the first user or custom desktop beside User
 name, and click on OK. You'll be asked to let Win 95 save
 individual settings for this user. Click on Yes. The wait cursor
 appears while Windows creates the new user configuration. Choose
 Shut Down again and repeat the process for every user or custom
 desktop you want to create. When you're done, choose Shut Down and
 restart the computer.

 After creating all the users or desktops you want, you're ready to
 work with the System Policy Editor. But remember, when users log
 on, any changes they make to the system settings and desktop
 configurations are saved only to their user profiles. In fact, you
 don't even need to use the System Policy Editor unless you want to
 restrict access to functions in some but not all profiles. If that
 is the case, then the System Policy Editor is useful for two
 things: setting user-specific and computer-specific properties.

 User-specific properties include personal access to the Control
 Panel settings and devices, desktop objects, network printer and
 file sharing, Shell features, and system elements.
 Computer-specific properties include the system's access to
 network client/server software and features as well as system
 operations. In effect, you can set up a PC that is nearly
 accident-proof by restricting access to the Registry Editor and by
 disabling such events as Shut Down and the saving of settings on
 exit.

 -------------------------------------------------------------------
 Better Safe Than Sorry

 Win 95's System Policy Editor lets you set up barriers to the
 software, settings, devices, and system files that make a
 multiuser system most vulnerable. For instance, creating a user
 profile with these policy restrictions makes it difficult for most
 users to inadvertently cripple a system.

    USER PROPERTIES      RECOMMENDED POLICY       THE EFFECTS
                              SETTINGS
 ---------------------- -------------------------------------------
 Control Panel|Display  Hide Settings Page  Can't alter or remove
                                            settings for display
                                            drivers and controls.
 ---------------------- -------------------------------------------
 Control                Disable Passwords   Can't change passwords
 Panel|Passwords                            or create new user
                                            profiles from the
                                            Control Panel's
                                            Passwords applet.
 ---------------------- -------------------------------------------
 Control                Hide General and    Prevents accidental
 Panel|Printers         Details             crippling of printing
                        Disable Deletion of functions.
                        Printers
                        Disable Addition of
                        Printers
 ---------------------- -------------------------------------------
 Control Panel|System   Hide Device Manager Protects critical
                        Hide Hardware       system configuration
                        Profiles            settings while leaving
                        Hide File System    access for customizing
                        Hide Virtual Memory graphics.
 ---------------------- -------------------------------------------
 Shell|Restrictions     Remove Run Command  Prevents users from
                        Remove Taskbar from running programs from
                        Settings            the command line and
                        Remove Find Command makes it difficult to
                        Hide Drives in My   alter the Taskbar or
                        Computer            drive contents.
 ---------------------- -------------------------------------------
 System|Restrictions    Disable             Removes the
                        RegistryEditing     opportunity to
                        Tools               directly tamper with
                                            the Registry.

 -------------------------------------------------------------------
 Network Know-How

 The System Policy Editor's entire range of features, which
 includes templates and user and group policies, won't benefit you
 unless you're the administrator of an NT or NetWare network.
 Templates are an advanced way to work with the Registry. The
 System Policy Editor's default template lists all the policies you
 can use and is stored in a file called ADMIN.ADM. You can also
 create custom policy templates (and multiple .ADM files) that
 define specific sets of Registry values. This way, you can apply
 system policies to a select group of applications. The settings
 are then stored in a policy file (.POL), which updates the local
 Registry when a network user logs on. User policies let you create
 custom setups, such as limited access for guests or temporary
 users, for individual network users. Group policies take advantage
 of NetWare and NT server groups, letting you set broad controls
 from one policy file.

 If you're a network administrator, the Microsoft Windows 95
 Resource Kit is a good starting reference source for learning to
 use the System Policy Editor's extended features. (For those of
 you using local systems, System Policy Editor can provide some
 benefits, though it's easy to miss them in the shroud of
 network-ese. More on this later.)

 If several people are using one PC, configure user profiles before
 using the System Policy Editor. Making policy changes to the
 default user and computer properties is asking for trouble and
 confusion if you don't.

 To install the System Policy Editor (PolEdit for short), an
 optional utility you add to Accessories from the Windows 95 CD,
 first, open the Add/Remove Programs option in Control Panel. Click
 on the Windows Setup tab and press the Have Disk button. Then
 click on Browse and navigate to the \Admin\Apptools\ Poledit
 folder on the Win 95 CD. Open the folder, and click on OK once,
 and OK again. You should be looking at the Have Disk dialog now.
 Place a check mark beside the second line, System Policy Editor,
 and click on the Install button. Once the program has installed,
 you'll find the System Policy Editor in
 Start\Programs\Accessories\System Tools.

 -------------------------------------------------------------------
 DID YOU KNOW... you can avoid tediously scrolling the Registry?
 From most any entry, just type the name of the item you want.
 Include the period if the item you seek is a file extension.
 -------------------------------------------------------------------

 Separatist Policies

 If you're using the System Policy Editor on a standalone system,
 forget about creating policy (.POL) files. They were designed for
 use on a network, so ignore the System Policy Editor's File menu
 options for New and Open. While it may be possible to load them on
 a local machine, it's not worth the trouble because a user could
 simply delete the .POL file restricting their access to resources;
 that can't happen on a networked system because the .POL file
 resides on a server, not locally. Policy files override the
 Registry settings for both users and computers.

 When you're working with the System Policy Editor on a local,
 non-networked computer, you're making policies for users and
 systems that Windows 95 stores in the Registry's USER.DAT and
 SYSTEM.DAT files. Fortunately, Windows 95 creates and stores a
 USER.DAT file for each user or desktop. When you create a user
 profile, new folders, identified by username, are placed in a
 Windows subfolder called Profiles. This both protects the default
 USER.DAT file, which remains in its original location, and
 prevents you from setting policies for one user while you're
 logged on as another.

 HOW TO: SET RESTRICTIONS To use PolEdit to set restrictions, log
 on as the user whose settings you want to modify. Run the System
 Policy Editor from the System Tools submenu. Choose File|Open
 Registry. When it launches, you'll see two icons: Local User and
 Local Computer. About 99% of any changes you make will be in Local
 User. In fact, you should leave Local Computer entirely alone.

 Click on the Local User icon to view the top-level user properties
 available to you: Control Panel, Desktop, Network, Shell, and
 System. Expanding each level of properties opens lists of policies
 that you simply check to enable. See the table, "Better Safe Than
 Sorry," for the Local User settings we recommend you use to
 accident-proof a system from inexperienced users. These
 recommendations presume your computer isn't networked. If it is,
 deny access to key networking features, too.

 To do this, open both the Network and Shell book icons from the
 System Policy Editor. You can disable printer and file-sharing
 controls from the Network book and hide or deny access to Network
 Neighborhood from the Shell|Restrictions policy selections. As an
 extra precaution, delete the Shortcut to the System Policy Editor
 in your Start\Programs\Accessories\System Tools folder. Also,
 remove any obvious system tools or potentially damaging utilities
 you may have added to the desktop, the Start menu, or the Programs
 menu and submenus. Finally, avoid changing the Shell|Custom
 Folders policies of Local User. Windows modifies this section
 automatically.

 Dr. Jekyll, Mr. Hide

 Now on to major desktop makeovers. The following examples lay out
 two strategies for removing all or some desktop objects. Desktop
 minimalists will discover interesting ways to wipe the desktop
 clean of all artifacts. But before beginning any major desktop
 customization, protect your system by running Win 95's Config
 Backup utility (see the sidebar, "Read Me First").

 To get in the spirit of the following tips, set up two
 experimental desktops under the names Dr. Jekyll and Mr. Hide. Log
 on using the Mr. Hide profile to test the clean-slate desktop
 customizations. Then, whenever you want to return to your normal
 configuration, just log on as Dr. Jekyll. There are going to be
 some changes in any serious desktop makeover that will fall
 outside the Registry sections that User Profiles builds
 redundancies for. So don't forget to run Config Backup, no matter
 what.

 Additional fail-safes include creating Shortcuts for every object
 you're about to delete and placing all the Shortcuts in one
 folder. The items for which you need to do this vary, depending on
 your setup options, whether you're running Microsoft Plus!,
 customizations already in place, and the programs you've
 installed.

 The first way to wipe off the desktop is also the easiest to set
 up. You don't actually delete desktop icons, you hide them. Then
 you can use your folder filled with desktop Shortcuts and icons
 any time you want, as the Start menu and the Taskbar remain
 on-screen.

 HOW TO: WIPE THE DESKTOP CLEAN To wipe your desktop clean, run the
 System Policy Editor. Choose File|Open Registry and double-click
 on Local User. Expand the Shell book icon, and then click on
 Restrictions. Toward the bottom of the policy list is an entry
 labeled "Hide all items on Desktop": Check that box, exit the
 System Policy Editor, and restart your system. Afterwards, Win
 95's desktop will be bare. This method has one annoying effect,
 though: Not only does everything on your desktop disappear, but
 you can't right-click on the desktop to open its context menu.
 Essentially, this system policy restriction turns the desktop into
 an empty canvas.

 -------------------------------------------------------------------
 DID YOU KNOW... you can set Win 95's System Policy Editor to
 automatically launch certain programs at start-up? Run PolEdit and
 select File|Open Registry. Double-click on Local Computer, open
 the System book icon, and check the Run entry. Now click on the
 Show button in the Settings for Run dialog. In the Show Contents
 dialog, you can select which programs launch at start-up.
 -------------------------------------------------------------------

 HOW TO: STREAMLINE The second way to streamline your desktop is
 more complex to set up, as it requires Registry tuning. The
 desktop's context menu remains, including the Shortcut to Display
 Properties. This method also gives you double-click access to My
 Computer, and you can access the System Properties available from
 My Computer's context menu. On the negative side, this method
 really removes everything from your desktop. Once you've
 customized Windows 95 using the following steps, go to the
 Windows\Desktop folder and look inside; it'll include only a label
 reading My Computer, but no icon. If you're a power user, this is
 the method for you because it removes irritating Microsoft icons
 from your desktop, making way for creative desktop Shortcuts and
 special folders.

 There are three steps to the process. The first takes care of the
 Inbox, the Microsoft Network, Recycle Bin, and the Internet (if
 you have Plus! installed). The second creates an invisible My
 Computer icon (that is, you'll see only the words My Computer but
 no icon). And the third removes Network Neighborhood.

 Open the Registry Editor, click on the HKEY_LOCAL_MACHINE key, and
 follow this path: \Software
 \Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace.
 Below the NameSpace key are the CLSID numbers for some special
 tool objects (not special folders) that are glued to your desktop.
 In most cases, you'll find Class IDs for Inbox, the Microsoft
 Network, and Recycle Bin. If you click on each CLSID number in
 turn, the name of the tool object becomes visible in the Registry
 Editor's right pane. (As an extra precaution, make a text file to
 copy and hold the CLSID numbers before you delete them.) Now
 highlight and delete each Class ID in NameSpace. That's all there
 is to it.

 My Computer and Network Neighborhood, however, are hardwired into
 Win 95's code, specifically the SHELL32.DLL file. That's why the
 steps differ. To make My Computer invisible, move to the
 Registry's HKEY_CLASSES_ROOT\CLSID\ section and locate this entry:
 {20D04FE0-3AEA-1069-A2D8-08002B30309D}. Click on this CLSID
 number, and you'll see it's assigned to My Computer. Now click on
 the plus sign, then the DefaultIcon subkey. In the Registry
 Editor's right pane, double-click on the "ab" default entry. On
 most systems you should find this line: C:\WINDOWS\Explorer.exe,0.
 The zero at the end calls the icon in the EXPLORER.EXE file.
 Simply change the 0 to a 4. Close down the Registry Editor and
 check your desktop. What you should see is that My Computer is
 invisible except for its text label. If the value data next to the
 "ab" default entry reads C:\WINDOWS\SYSTEM\cool.dll,16, that means
 you have Microsoft Plus! installed. If so, just type
 C:\WINDOWS\Explorer.exe,4 as the value for the DefaultIcon in the
 Edit String dialog instead. Once that's done, close RegEdit.

 The System Policy Editor handles the last step. Choose File|Open
 Registry. Double-click on the Local User icon and click on the
 plus signs beside Shell and then Restrictions. Halfway down,
 you'll see an entry labeled Hide Network Neighborhood. Check it,
 then close the System Policy Editor.

 This method of removing Network Neighborhood is more assiduous
 than the "Hide all items on Desktop" option in the System Policy
 Editor. Unfortunately, it creates a barrier between the user and
 Network Neighborhood: You can still access network drives, but
 only if you've persistently mapped them in advance. Close the
 System Policy Editor, and return to your nearly blank desktop.

 Finally, grab your invisible My Computer by the top edge of the
 icon and drag it to the bottom of the desktop so that the label is
 directly underneath the Start button and Taskbar. The label will
 disappear. Now, if you double-click on the desktop just above the
 Start button, My Computer appears.

 -------------------------------------------------------------------
 DID YOU KNOW... Win 95 tracks passwords in a password list file
 (.PWL) it uses for both network and local log ons? However, the
 initial implementation of password caching is easy to crack. So if
 you're using passwords, download the Enhanced Password Cache
 Security Update from Microsoft's Web site
 (http://www.microsoft.com/windows/software/updates.htm). It
 improves password encryption and prompts users for network
 passwords rather than relying on the cache.
 -------------------------------------------------------------------

 Big Returns

 What if you decide you want to get rid of all the profiles and
 policies you have set up for the users on your system? User
 profiles don't take up much disk space, but facing the Welcome to
 Windows dialog every time you turn on the PC can be annoying.

 To turn off User Profiles, reverse the steps you took to turn it
 on in Control Panel's Passwords applet, clicking on the radio
 button that reads "All users of this PC use the same preferences
 and desktop settings." When Windows restarts, you'll be back to
 the default profile, which resides in the .Default branch of the
 HKEY_USERS key in the Registry. (By the way, it's repeated in the
 HKEY_CURRENT_USER branch.) That's why it's a smart idea not to
 modify Local User before you add user profiles, unless there are
 modifications you'd like to make globally to all profiles.

 When you turn off User Profiles, that's all you're doing. You're
 not deleting the individually named profile folders that Windows
 set up. Nor are you removing your profiles' settings in the
 Registry. It's reasonable to assume that Microsoft figures you
 might want to turn User Profiles back on later. But you should
 know how to get rid of profile settings fully after turning off
 User Profiles from the Passwords Control Panel. Run the Registry
 Editor and work your way down this branch: HKEY_LOCAL_
 MACHINE\Software\Microsoft\Win-dows\CurrentVersion\ProfileList.

 When you expand the ProfileList folder, you'll see entries for
 each profile name you've created, including your own, which Win 95
 created when you first installed it. Right-click on and delete
 each in turn. Then close RegEdit and open the Profiles folder
 inside your Windows folder. Recycle everything you find in there.
 You need to do one more task to prevent the Welcome to Windows
 dialog from launching. When you build user profiles with passwords
 on a local system, separate password list (.PWL) files are created
 in the main Windows folder. Delete the .PWL files you find there,
 and restart the computer. You'll be prompted for a username and
 password, just as with your first installation of Win 95. Enter
 your name, but no password. A dialog will ask you one last time to
 confirm your name and nonpassword. Click on OK, and you'll never
 see the dialog again.

 Finally, run the System Policy Editor to make sure your
 restrictions are set the way you want them. Got your Policies
 settings all screwed up, and you're not sure how to get back to
 square one? By default, the only check mark you should see in
 Local User is the one beside Wallpaper, under Desktop. Things vary
 in Local Computer, especially on a network. But here are the
 policy entries likely to have check marks: Network|
 Passwords|"Hide Share Passwords With Asterisks"; Network|Update|
 Remote Update; System|"Network Path For Windows Setup" (the field
 beside Path should contain the pathname to the drive and directory
 you installed Windows 95 from, such as E:\WIN95\); and System|Run.
 When you click on Run, then Show, be sure the following entries
 are included in the "Items to run at startup" listings: SystemTray
 should appear under Value Name, and SysTray.Exe should be its
 Value.

 Both the Registry Editor and the System Policy Editor provide
 tools that can easily customize or cripple the Windows 95
 operating system. That's why you can't take too many precautions
 when you're working with these utilities. But if you do choose to
 work with them, they will open up the operating system and give
 you greater control over how it interacts with users and your
 computing environment.

 -------------------------------------------------------------------
 Scot Finnie is the author of The Underground Guide to Windows 95,
 published by Addison-Wesley. You can reach him at
 sfinnie@tiac.net.
 -------------------------------------------------------------------
 Send comments about this page to Windows Sources Webmaster

Regards,
Bud
0
 
LVL 14

Expert Comment

by:smeebud
Comment Utility
Some other options,
-----------
Restrictions without running Poledit
If you want to make restrictions to what users can do without having to running Poledit,
changes can be made directly to the Registry.
This will allow you to make a REG file with the specific restrictions you want
and importing them all at once.
1.Start Regedit
2.Go to HKEY_Current_User / Software / Microsoft / CurrentVersion / Policies
3.There should already be at least a Explorer
4.Additional keys that can be created under Policies are System, Network and WinOldApp
5.You can then add DWORD values set to 1 in the appropriate keys
6.In the Explorer key you can add:
NoDeletePrinter - Disables Deletion of Printers
NoAddPrinter - Disables Addition of Printers
NoRun - Disables Run Command
NoSetFolders - Removes Folders from Settings on Start Menu
NoSetTaskbar - Removes Taskbar from Settings on Start Menu
NoFind - Removes the Find Command
NoDrives - Hides Drives in My Computers
NoNetHood - Hides the Network Neighborhood
NoDesktop - Hides all items on the Desktop
NoClose - Disables Shutdown
NoSaveSettings - Don't save settings on exit
DisableRegistryTools - Disable Registry Editing Tools - NOTE: Be Careful of this one
7.In the System key you can enter:
NoDispCPL - Disable Display Control Panel
NoDispBackgroundPage - Hide Background Page
NoDispScrSavPage - Hide Screen Saver Page
NoDispAppearancePage - Hide Appearance Page
NoDispSettingsPage - Hide Settings Page
NoSecCPL - Disable Password Control Panel
NoPwdPage - Hide Password Change Page
NoAdminPage - Hide Remote Administration Page
NoProfilePage - Hide User Profiles Page
NoDevMgrPage - Hide Device Manager Page
NoConfigPage - Hide Hardware Profiles Page
NoFileSysPage - Hide File System Button
NoVirtMemPage - Hide Virtual Memory Button
8.In the Network key you can enter:
NoNetSetupSecurityPage - H
NoNetSetup - Disable the Network Control Panel
NoNetSetupIDPage - Hide Identification Page
NoNetSetupSecurityPage - Hide Access Control Page
NoFileSharingControl - Disable File Sharing Controls
NoPrintSharing - Disable Print Sharing Controls
9.In the WinOldApp key you can enter:
Disabled - Disable MS-DOS Prompt
NoRealMode - Disables Single-Mode MS-DOS

Bud
0
 

Author Comment

by:ptpovo
Comment Utility
Thank you very much for such a comprehensive answer.  I applied the information beginning at "Separatist Policies" and it works well.  I do, however have an additional question regarding hidden drives which I will post.  Thanks again...
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Expert Comment

by:smeebud
Comment Utility
Oh, just something I had laying around::))

Glad it's working and I could be of help.

Regards,
Bud
0
 

Author Comment

by:ptpovo
Comment Utility
I figured out the hidden drive routine as well so I've deleted my second question.  In Poledit, you have the option of hiding all drives in 'My Computer'. Problem is, the current user's apps can't figure out where to save anything.  I've found Tweak UI in conjuction with Poledit is the solution.  Choose the drives you want hidden (or visible) in Tweak UI then use Poledit to hide the control panel so that your settings can't be (easily) changed.

Thanks again!
0
 
LVL 14

Expert Comment

by:smeebud
Comment Utility
Great trick PT.
I'll keep that for my database::))

Thanks
Bud
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

If you Lost your Administrator password for Windows XP, Vista, or 7 this CD will help you reset the password to blank so you can log in. Once in you should change that blank password to something!! Download the ISO on this page http://www.spl…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now