Solved

Group policies on NT2000 server - configured as workgroup not domain

Posted on 2004-08-11
8
247 Views
Last Modified: 2010-04-14
I have a windows NT2000 server with 9 thinclient users logging in to terminal services.  (also several mixed desktop pc's using the server for file sharing).  I do not have domain configured - just workgroup. I need to drastically restrict the access of 6 users who log on to thin clients).  I have been able to manipulate the policy but it applies to all users logging on to thin clients or console. As I do not have active directory I cannot use OU's.  I have tried altering the sharing on the folder winnt\system32\group policy and sub folders to prevent those users from accessing the policy files but this seems to have no effect. (c drive is formated fat32).

Can I use group policy in this setup ?
Can I move group policy folder to D: (NTFS ) and try ntfs permissions. ?
Can I convert C drive to NTFS ?
Can I convert to domain easily ?

many thanks

Glen
0
Comment
Question by:merlok
8 Comments
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 150 total points
ID: 11772481
I have never used a TS outside of a Domain, so my comments may not have much weight here, but this is an articled discussing the use of GPO's on a TS using a Domain Controller..

http://support.microsoft.com/default.aspx?scid=kb;en-us;260370&sd=tech

Regarding your first two questions (assuming you are speaking of Local Group Policies), I really have no answer since I would have to test these out on a server in a workgroup, and just do not have time to set it up right now.  

Definitely think about going to a Domain setup though, and definitely use NTFS for your file system.  I see no reason at all in your case to use FAT32.  Conversion is easy, using the Convert command (convert c: /fs:ntfs)

Creating your domain easily will depend on your setup and users, but I would hazard to guess that it would be easy to do.  And very beneficial to you in the end, being that you will now have a place for central management of your users.

If you need articles on the transformation, we can certainly point you in the right direction.

FE
0
 
LVL 14

Assisted Solution

by:dlwyatt82
dlwyatt82 earned 100 total points
ID: 11772782
In a standalone server configuration like yours, you only have one Group Policy Object to work with (the local policy), which make it difficult to apply a different set of policies to various users or groups. If you absolutely cannot pursue the option of setting up a domain, then I would recommend configuring user-specific registry-based policies for the users you wish to lock down. This can be accomplished via login scripts, or manually using regedt32.

It will take some research to find out exactly which registry keys / values you need to create to accomplish your desired results, but the keys will resided in either the "Software\Policies" or "Software\Microsoft\Windows\CurrentVersion\Policies" keys of each user's registry hive.
0
 
LVL 15

Assisted Solution

by:Cyber-Dude
Cyber-Dude earned 100 total points
ID: 11772912
As far as I know, You cannot use Group Policy in this configuration but on your server (i.e. Terminal Services - you may have full controll there).

You can use Group Policy on whatever location you wish but in a peer to perr network (workgroup) it is of no significance...

You can convert drice C: to NTFS easily... the question is whether you may be able to recover in case of disk or OS failure (It is strongly recommended that you will burn a recovery Boot CD that will include software for recovery)...

You CAN convert the whole WorkGroup to a Domain easily as well (just configure all clients to connect to a domain and configure the Server as a DC)..

If you wish to get a step-bystep guide... just tell me and I will run over the hills and bring those to ya...

Cyber
0
 

Author Comment

by:merlok
ID: 11773680
on my previous server (NT4 terminal services) I did use regedt32 and manually edited the keys.  On the NT2000 server when I run regedt32 - load hive (NTUSER.dat ) from c:\douments and settings\username the changes I apply seem to make no difference.

This is why I am looking at local group policy.

Am I using regedt32 properly on NT2000?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Assisted Solution

by:saito1
saito1 earned 100 total points
ID: 11773706

Can I use group policy in this setup ?
  you should convert your network to domain environment.

Can I move group policy folder to D: (NTFS ) and try ntfs permissions. ?
  no need to do in domain environment
 
Can I convert C drive to NTFS ?
  yes, at command prompt execute the command:
  convert c: /fs:ntfs /v

  I recommend to convert your driver's format to NTFS if there is no dual boot between windows 9x
  for convert command:
http://support.microsoft.com/default.aspx?scid=kb;en-us;214579&Product=win2000

Can I convert to domain easily ?
  yes very easy:
  step by step guide to "Convert a Windows 2000 Server to a Domain Controller"
http://www.microsoft.com/technet/Security/topics/issues/w2kccadm/trust/w2kadm28.mspx#XSLTsection123121120120

Rgrds...

0
 
LVL 2

Assisted Solution

by:Ranidae
Ranidae earned 50 total points
ID: 11777801
Hi,

Just to throw my 2 cents in... I have in the past configured the local policy to restrict users in a severe way, I then found the policy object itself and denied the administrator account the NTFS read permission to the policy, that way anybody but the admin has the policy applied.  It's not a perfect solution (I would encourage a domain to get more control), but it worked for me in limiting users on local machines for workgroup environments.

Regards.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 11796936
Since the terminal server is not part of a domain, it will still process the NT4 style system policies (the predecessor to group policies). Make sure you read the policies part of the Guide below before you start; unlike group policies, the settings defined in a system policy will *not* simply revert back when you set them back to "undefined", you have to undo them explicitly.

Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478

How to apply System Policy settings to Terminal Server
http://support.microsoft.com/?kbid=192794

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 12141871
Thanks
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Owning a franchise can be the dream of a lifetime. It provides a chance for economic growth. You can be as successful as you want.  To make your franchise successful, you need to market it successfully. Here are six of the best marketing strategies …
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now