Solved

Group policies SBS 2003

Posted on 2004-09-19
4
1,139 Views
Last Modified: 2010-06-02
When we set up our server with SBS 2003 we tried to set a policy so that all users in the domain would lose the ability to write files to the local C: drive.  Also, if they try to write to My Documents I want it to be transferred to somewhere on the server.  Things seemed relatively obvious but it did not work.  When I tried to go through a tutorial on the Microsoft website, it was too in depth for me to understand.

What I need is an example of how to go through the menus and where to make the settings so that I can enforce a policy on everyone in the domain.  I don't need an in depth appreciation of all the capabilities of system/group policies.  I just need to be able to follow a simple example as a template for how I can enforce my policies.

Does anyone know of a web page or such like that would talk me through a simple example, specifically for 2003, or would anyone care to give me an example themselves?

Thank you
0
Comment
Question by:peparsons
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 12095368
First of all, there's actually no such thing as "a simple example as a template" when it comes to group policies. If you don't know what you're doing, you might very well, very quickly, and very easily lock yourself out as well, or you might end up with a set of GPOs that apply in a fashion you can't even begin to understand anymore.
That said, if you're starting carefully, with some basic settings, you should be fine.
Try to stay away from the Default Domain Policy, at least until you know your way around group policies better.
Then, first of all, create your OU structure.
Example: Create a new top level OU in your domain. Create two additional OUs below this one, User and Computer.
Move a test user account into the User OU, a test computer account below the Computer OU.
acme.local
 +-[OU] Acme
    +-[OU] User
       +-[User] Test User
    +-[OU] Computer
       +-[Computer] Test Computer

On your server, create a folder "Home", share it as Home$. Create a subdirectory with your test user's name, change the NTFS permissions to allow Full Control for Administrators, System, and the test user account.
In the test user's properties, go to the profile tab, and in the home folder section, enter H: (or whatever) as drive letter, connect to \\Server\Home$\%Username%.
Create a new global security group, named GPol-Lockdown. Make the test user member of this group.
In the User OU, create a new GPO. (Right-click OU, Properties, Group Policy, button New). Name it Lockdown. Click on the "Properties" button of the GPO, check the box "Disable Computer Configuration". Go to the Security tab, uncheck the "Read" and "Apply" permissions for Authenticated Users. Add the GPol-Lockdown group, give this group Read and Apply permissions. (This is called security filtering of group policies; it makes sure that the GPO applies only to users that you want them to apply to.) Click OK on the Properties of Lockdown dialog.
Click the Edit button in the group policy dialog.
* Redirect the "My Documents" folder:
Go to User Configuration\Windows Settings\Folder Redirection, right-click, choose Properties. Pick Standard from the drop-down box, enter \\Server\Home$\%Username%. In the Settings tab, uncheck "Exclusive permissions for the user". Pick the other settings to your liking.
* Hide the C: drive:
Go to User Configuration\Administrative Templates\Windows Components\Windows Explorer. In the right pane, double-click "Hide these drives in 'My Computer'". Set the policy to Activated, choose "Restrict drive C: only" (or whatever drives you want to restrict).
Be careful with the next policy, "Restrict access to these drives in 'My Computer'"; not every program might work when this policy is activated.
Log on with the test user, and the "My Documents" folder should be redirected, the C: drive shouldn't be listed anymore in Windows Explorer.
Once you're sure the policies are working OK, move the rest of your users into the Users OU (or below, if you created additional OUs below the Users).

If you need to set Computer Policies, you can do it basically the same way.

You might want to install the Group Policy Management Console to ease the administration a bit.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups
http://support.microsoft.com/default.aspx?kbid=220822

Step-by-Step Guide to Understanding the Group Policy Feature Set
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp

White Paper: Introduction to Windows 2000 Group Policy
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

White Paper: Windows 2000 Group Policy
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Windows Server 2000 Resource Kit: Chapter 4 - How Group Policy Works
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/deploy/ccmdepl/ccmch04.mspx

Windows Server 2000 Resource Kit: Chapter 22 - Group Policy
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000
http://support.microsoft.com/?kbid=315418

HOW TO: Administer GPO Properties in Windows 2000
http://support.microsoft.com/?kbid=322176
0
 

Author Comment

by:peparsons
ID: 12101025
Dear oBdA
Thank you for that incredible effort.  One question:  Were your instructions for 2003?
PEP

0
 
LVL 84

Expert Comment

by:oBdA
ID: 12101812
The articles refer mostly to Windows 2000, but the group policy processing hasn't changed for W2k3. The Group Policy Management Console will make things look completely different (but easier to manage once you've gotten used to it), but that's just the interface; the basics still remain the same.
You don't necessarily need to follow the OU construction from above; the best solution depends very strongly on your organisation. I'd stay with the security group filtering described, though, as this is (in my opinion) the easiest and most concise way to control who gets which policies applied.
One more hint:
While you're testing, you might want to refresh changed policies for the user without logging off and back on all the time.
In W2k, the command used is
secedit /refreshpolicy user_policy /enforce
(enter "secedit /?" for more help); for XP clients, it has changed to
gpupdate /target:user /force
(enter "gpupdate /? for more help).
0
 

Author Comment

by:peparsons
ID: 12102038
Thanks a lot.  That's another useful tip.
PEP
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ms Filer Server Migration toolkit issues 2 113
Shadow copies windows server 2003 2 109
Event ID: 5719 / Source: NETLOGON 9 182
Generate HTML report about DHCP server 2003 1 63
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question