Solved

Group policies on NT2000 server - configured as workgroup not domain

Posted on 2004-08-11
8
249 Views
Last Modified: 2010-04-14
I have a windows NT2000 server with 9 thinclient users logging in to terminal services.  (also several mixed desktop pc's using the server for file sharing).  I do not have domain configured - just workgroup. I need to drastically restrict the access of 6 users who log on to thin clients).  I have been able to manipulate the policy but it applies to all users logging on to thin clients or console. As I do not have active directory I cannot use OU's.  I have tried altering the sharing on the folder winnt\system32\group policy and sub folders to prevent those users from accessing the policy files but this seems to have no effect. (c drive is formated fat32).

Can I use group policy in this setup ?
Can I move group policy folder to D: (NTFS ) and try ntfs permissions. ?
Can I convert C drive to NTFS ?
Can I convert to domain easily ?

many thanks

Glen
0
Comment
Question by:merlok
8 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 150 total points
ID: 11772481
I have never used a TS outside of a Domain, so my comments may not have much weight here, but this is an articled discussing the use of GPO's on a TS using a Domain Controller..

http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&sd=tech

Regarding your first two questions (assuming you are speaking of Local Group Policies), I really have no answer since I would have to test these out on a server in a workgroup, and just do not have time to set it up right now.  

Definitely think about going to a Domain setup though, and definitely use NTFS for your file system.  I see no reason at all in your case to use FAT32.  Conversion is easy, using the Convert command (convert c: /fs:ntfs)

Creating your domain easily will depend on your setup and users, but I would hazard to guess that it would be easy to do.  And very beneficial to you in the end, being that you will now have a place for central management of your users.

If you need articles on the transformation, we can certainly point you in the right direction.

FE
0
 
LVL 14

Assisted Solution

by:dlwyatt82
dlwyatt82 earned 100 total points
ID: 11772782
In a standalone server configuration like yours, you only have one Group Policy Object to work with (the local policy), which make it difficult to apply a different set of policies to various users or groups. If you absolutely cannot pursue the option of setting up a domain, then I would recommend configuring user-specific registry-based policies for the users you wish to lock down. This can be accomplished via login scripts, or manually using regedt32.

It will take some research to find out exactly which registry keys / values you need to create to accomplish your desired results, but the keys will resided in either the "Software\Policies" or "Software\Microsoft\Windows\CurrentVersion\Policies" keys of each user's registry hive.
0
 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 100 total points
ID: 11772912
As far as I know, You cannot use Group Policy in this configuration but on your server (i.e. Terminal Services - you may have full controll there).

You can use Group Policy on whatever location you wish but in a peer to perr network (workgroup) it is of no significance...

You can convert drice C: to NTFS easily... the question is whether you may be able to recover in case of disk or OS failure (It is strongly recommended that you will burn a recovery Boot CD that will include software for recovery)...

You CAN convert the whole WorkGroup to a Domain easily as well (just configure all clients to connect to a domain and configure the Server as a DC)..

If you wish to get a step-bystep guide... just tell me and I will run over the hills and bring those to ya...

Cyber
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:merlok
ID: 11773680
on my previous server (NT4 terminal services) I did use regedt32 and manually edited the keys.  On the NT2000 server when I run regedt32 - load hive (NTUSER.dat ) from c:\douments and settings\username the changes I apply seem to make no difference.

This is why I am looking at local group policy.

Am I using regedt32 properly on NT2000?
0
 
LVL 3

Assisted Solution

by:saito1
saito1 earned 100 total points
ID: 11773706

Can I use group policy in this setup ?
  you should convert your network to domain environment.

Can I move group policy folder to D: (NTFS ) and try ntfs permissions. ?
  no need to do in domain environment
 
Can I convert C drive to NTFS ?
  yes, at command prompt execute the command:
  convert c: /fs:ntfs /v

  I recommend to convert your driver's format to NTFS if there is no dual boot between windows 9x
  for convert command:
http://support.microsoft.com/default.aspx?scid=kb;en-us;214579&Product=win2000

Can I convert to domain easily ?
  yes very easy:
  step by step guide to "Convert a Windows 2000 Server to a Domain Controller"
http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/trust/w2kadm28.mspx#XSLTsection123121120120

Rgrds...

0
 
LVL 2

Assisted Solution

by:Ranidae
Ranidae earned 50 total points
ID: 11777801
Hi,

Just to throw my 2 cents in... I have in the past configured the local policy to restrict users in a severe way, I then found the policy object itself and denied the administrator account the NTFS read permission to the policy, that way anybody but the admin has the policy applied.  It's not a perfect solution (I would encourage a domain to get more control), but it worked for me in limiting users on local machines for workgroup environments.

Regards.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 11796936
Since the terminal server is not part of a domain, it will still process the NT4 style system policies (the predecessor to group policies). Make sure you read the policies part of the Guide below before you start; unlike group policies, the settings defined in a system policy will *not* simply revert back when you set them back to "undefined", you have to undo them explicitly.

Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

How to apply System Policy settings to Terminal Server
http://support.microsoft.com/?kbid=192794

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12141871
Thanks
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Do you use a spreadsheet like Microsoft's Excel?  Have you ever wanted to link out to a non excel file on your computer or network drive?  This is the way I found to do it!
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question