Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Group policies SBS 2003

Posted on 2004-09-19
Medium Priority
Last Modified: 2010-06-02
When we set up our server with SBS 2003 we tried to set a policy so that all users in the domain would lose the ability to write files to the local C: drive.  Also, if they try to write to My Documents I want it to be transferred to somewhere on the server.  Things seemed relatively obvious but it did not work.  When I tried to go through a tutorial on the Microsoft website, it was too in depth for me to understand.

What I need is an example of how to go through the menus and where to make the settings so that I can enforce a policy on everyone in the domain.  I don't need an in depth appreciation of all the capabilities of system/group policies.  I just need to be able to follow a simple example as a template for how I can enforce my policies.

Does anyone know of a web page or such like that would talk me through a simple example, specifically for 2003, or would anyone care to give me an example themselves?

Thank you
Question by:peparsons
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 85

Accepted Solution

oBdA earned 2000 total points
ID: 12095368
First of all, there's actually no such thing as "a simple example as a template" when it comes to group policies. If you don't know what you're doing, you might very well, very quickly, and very easily lock yourself out as well, or you might end up with a set of GPOs that apply in a fashion you can't even begin to understand anymore.
That said, if you're starting carefully, with some basic settings, you should be fine.
Try to stay away from the Default Domain Policy, at least until you know your way around group policies better.
Then, first of all, create your OU structure.
Example: Create a new top level OU in your domain. Create two additional OUs below this one, User and Computer.
Move a test user account into the User OU, a test computer account below the Computer OU.
 +-[OU] Acme
    +-[OU] User
       +-[User] Test User
    +-[OU] Computer
       +-[Computer] Test Computer

On your server, create a folder "Home", share it as Home$. Create a subdirectory with your test user's name, change the NTFS permissions to allow Full Control for Administrators, System, and the test user account.
In the test user's properties, go to the profile tab, and in the home folder section, enter H: (or whatever) as drive letter, connect to \\Server\Home$\%Username%.
Create a new global security group, named GPol-Lockdown. Make the test user member of this group.
In the User OU, create a new GPO. (Right-click OU, Properties, Group Policy, button New). Name it Lockdown. Click on the "Properties" button of the GPO, check the box "Disable Computer Configuration". Go to the Security tab, uncheck the "Read" and "Apply" permissions for Authenticated Users. Add the GPol-Lockdown group, give this group Read and Apply permissions. (This is called security filtering of group policies; it makes sure that the GPO applies only to users that you want them to apply to.) Click OK on the Properties of Lockdown dialog.
Click the Edit button in the group policy dialog.
* Redirect the "My Documents" folder:
Go to User Configuration\Windows Settings\Folder Redirection, right-click, choose Properties. Pick Standard from the drop-down box, enter \\Server\Home$\%Username%. In the Settings tab, uncheck "Exclusive permissions for the user". Pick the other settings to your liking.
* Hide the C: drive:
Go to User Configuration\Administrative Templates\Windows Components\Windows Explorer. In the right pane, double-click "Hide these drives in 'My Computer'". Set the policy to Activated, choose "Restrict drive C: only" (or whatever drives you want to restrict).
Be careful with the next policy, "Restrict access to these drives in 'My Computer'"; not every program might work when this policy is activated.
Log on with the test user, and the "My Documents" folder should be redirected, the C: drive shouldn't be listed anymore in Windows Explorer.
Once you're sure the policies are working OK, move the rest of your users into the Users OU (or below, if you created additional OUs below the Users).

If you need to set Computer Policies, you can do it basically the same way.

You might want to install the Group Policy Management Console to ease the administration a bit.
Enterprise Management with the Group Policy Management Console

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups

Step-by-Step Guide to Understanding the Group Policy Feature Set

White Paper: Introduction to Windows 2000 Group Policy

White Paper: Windows 2000 Group Policy

Windows Server 2000 Resource Kit: Chapter 4 - How Group Policy Works

Windows Server 2000 Resource Kit: Chapter 22 - Group Policy

Troubleshooting Group Policy Application Problems

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000

HOW TO: Administer GPO Properties in Windows 2000

Author Comment

ID: 12101025
Dear oBdA
Thank you for that incredible effort.  One question:  Were your instructions for 2003?

LVL 85

Expert Comment

ID: 12101812
The articles refer mostly to Windows 2000, but the group policy processing hasn't changed for W2k3. The Group Policy Management Console will make things look completely different (but easier to manage once you've gotten used to it), but that's just the interface; the basics still remain the same.
You don't necessarily need to follow the OU construction from above; the best solution depends very strongly on your organisation. I'd stay with the security group filtering described, though, as this is (in my opinion) the easiest and most concise way to control who gets which policies applied.
One more hint:
While you're testing, you might want to refresh changed policies for the user without logging off and back on all the time.
In W2k, the command used is
secedit /refreshpolicy user_policy /enforce
(enter "secedit /?" for more help); for XP clients, it has changed to
gpupdate /target:user /force
(enter "gpupdate /? for more help).

Author Comment

ID: 12102038
Thanks a lot.  That's another useful tip.

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn about cloud computing and its benefits for small business owners.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question