Solved

Group policies on NT2000 server - configured as workgroup not domain

Posted on 2004-08-11
8
248 Views
Last Modified: 2010-04-14
I have a windows NT2000 server with 9 thinclient users logging in to terminal services.  (also several mixed desktop pc's using the server for file sharing).  I do not have domain configured - just workgroup. I need to drastically restrict the access of 6 users who log on to thin clients).  I have been able to manipulate the policy but it applies to all users logging on to thin clients or console. As I do not have active directory I cannot use OU's.  I have tried altering the sharing on the folder winnt\system32\group policy and sub folders to prevent those users from accessing the policy files but this seems to have no effect. (c drive is formated fat32).

Can I use group policy in this setup ?
Can I move group policy folder to D: (NTFS ) and try ntfs permissions. ?
Can I convert C drive to NTFS ?
Can I convert to domain easily ?

many thanks

Glen
0
Comment
Question by:merlok
8 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 150 total points
ID: 11772481
I have never used a TS outside of a Domain, so my comments may not have much weight here, but this is an articled discussing the use of GPO's on a TS using a Domain Controller..

http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&sd=tech

Regarding your first two questions (assuming you are speaking of Local Group Policies), I really have no answer since I would have to test these out on a server in a workgroup, and just do not have time to set it up right now.  

Definitely think about going to a Domain setup though, and definitely use NTFS for your file system.  I see no reason at all in your case to use FAT32.  Conversion is easy, using the Convert command (convert c: /fs:ntfs)

Creating your domain easily will depend on your setup and users, but I would hazard to guess that it would be easy to do.  And very beneficial to you in the end, being that you will now have a place for central management of your users.

If you need articles on the transformation, we can certainly point you in the right direction.

FE
0
 
LVL 14

Assisted Solution

by:dlwyatt82
dlwyatt82 earned 100 total points
ID: 11772782
In a standalone server configuration like yours, you only have one Group Policy Object to work with (the local policy), which make it difficult to apply a different set of policies to various users or groups. If you absolutely cannot pursue the option of setting up a domain, then I would recommend configuring user-specific registry-based policies for the users you wish to lock down. This can be accomplished via login scripts, or manually using regedt32.

It will take some research to find out exactly which registry keys / values you need to create to accomplish your desired results, but the keys will resided in either the "Software\Policies" or "Software\Microsoft\Windows\CurrentVersion\Policies" keys of each user's registry hive.
0
 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 100 total points
ID: 11772912
As far as I know, You cannot use Group Policy in this configuration but on your server (i.e. Terminal Services - you may have full controll there).

You can use Group Policy on whatever location you wish but in a peer to perr network (workgroup) it is of no significance...

You can convert drice C: to NTFS easily... the question is whether you may be able to recover in case of disk or OS failure (It is strongly recommended that you will burn a recovery Boot CD that will include software for recovery)...

You CAN convert the whole WorkGroup to a Domain easily as well (just configure all clients to connect to a domain and configure the Server as a DC)..

If you wish to get a step-bystep guide... just tell me and I will run over the hills and bring those to ya...

Cyber
0
 

Author Comment

by:merlok
ID: 11773680
on my previous server (NT4 terminal services) I did use regedt32 and manually edited the keys.  On the NT2000 server when I run regedt32 - load hive (NTUSER.dat ) from c:\douments and settings\username the changes I apply seem to make no difference.

This is why I am looking at local group policy.

Am I using regedt32 properly on NT2000?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 3

Assisted Solution

by:saito1
saito1 earned 100 total points
ID: 11773706

Can I use group policy in this setup ?
  you should convert your network to domain environment.

Can I move group policy folder to D: (NTFS ) and try ntfs permissions. ?
  no need to do in domain environment
 
Can I convert C drive to NTFS ?
  yes, at command prompt execute the command:
  convert c: /fs:ntfs /v

  I recommend to convert your driver's format to NTFS if there is no dual boot between windows 9x
  for convert command:
http://support.microsoft.com/default.aspx?scid=kb;en-us;214579&Product=win2000

Can I convert to domain easily ?
  yes very easy:
  step by step guide to "Convert a Windows 2000 Server to a Domain Controller"
http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/trust/w2kadm28.mspx#XSLTsection123121120120

Rgrds...

0
 
LVL 2

Assisted Solution

by:Ranidae
Ranidae earned 50 total points
ID: 11777801
Hi,

Just to throw my 2 cents in... I have in the past configured the local policy to restrict users in a severe way, I then found the policy object itself and denied the administrator account the NTFS read permission to the policy, that way anybody but the admin has the policy applied.  It's not a perfect solution (I would encourage a domain to get more control), but it worked for me in limiting users on local machines for workgroup environments.

Regards.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 11796936
Since the terminal server is not part of a domain, it will still process the NT4 style system policies (the predecessor to group policies). Make sure you read the policies part of the Guide below before you start; unlike group policies, the settings defined in a system policy will *not* simply revert back when you set them back to "undefined", you have to undo them explicitly.

Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

How to apply System Policy settings to Terminal Server
http://support.microsoft.com/?kbid=192794

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12141871
Thanks
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now