Solved

Group policies SBS 2003

Posted on 2004-09-19
4
1,138 Views
Last Modified: 2010-06-02
When we set up our server with SBS 2003 we tried to set a policy so that all users in the domain would lose the ability to write files to the local C: drive.  Also, if they try to write to My Documents I want it to be transferred to somewhere on the server.  Things seemed relatively obvious but it did not work.  When I tried to go through a tutorial on the Microsoft website, it was too in depth for me to understand.

What I need is an example of how to go through the menus and where to make the settings so that I can enforce a policy on everyone in the domain.  I don't need an in depth appreciation of all the capabilities of system/group policies.  I just need to be able to follow a simple example as a template for how I can enforce my policies.

Does anyone know of a web page or such like that would talk me through a simple example, specifically for 2003, or would anyone care to give me an example themselves?

Thank you
0
Comment
Question by:peparsons
  • 2
  • 2
4 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 12095368
First of all, there's actually no such thing as "a simple example as a template" when it comes to group policies. If you don't know what you're doing, you might very well, very quickly, and very easily lock yourself out as well, or you might end up with a set of GPOs that apply in a fashion you can't even begin to understand anymore.
That said, if you're starting carefully, with some basic settings, you should be fine.
Try to stay away from the Default Domain Policy, at least until you know your way around group policies better.
Then, first of all, create your OU structure.
Example: Create a new top level OU in your domain. Create two additional OUs below this one, User and Computer.
Move a test user account into the User OU, a test computer account below the Computer OU.
acme.local
 +-[OU] Acme
    +-[OU] User
       +-[User] Test User
    +-[OU] Computer
       +-[Computer] Test Computer

On your server, create a folder "Home", share it as Home$. Create a subdirectory with your test user's name, change the NTFS permissions to allow Full Control for Administrators, System, and the test user account.
In the test user's properties, go to the profile tab, and in the home folder section, enter H: (or whatever) as drive letter, connect to \\Server\Home$\%Username%.
Create a new global security group, named GPol-Lockdown. Make the test user member of this group.
In the User OU, create a new GPO. (Right-click OU, Properties, Group Policy, button New). Name it Lockdown. Click on the "Properties" button of the GPO, check the box "Disable Computer Configuration". Go to the Security tab, uncheck the "Read" and "Apply" permissions for Authenticated Users. Add the GPol-Lockdown group, give this group Read and Apply permissions. (This is called security filtering of group policies; it makes sure that the GPO applies only to users that you want them to apply to.) Click OK on the Properties of Lockdown dialog.
Click the Edit button in the group policy dialog.
* Redirect the "My Documents" folder:
Go to User Configuration\Windows Settings\Folder Redirection, right-click, choose Properties. Pick Standard from the drop-down box, enter \\Server\Home$\%Username%. In the Settings tab, uncheck "Exclusive permissions for the user". Pick the other settings to your liking.
* Hide the C: drive:
Go to User Configuration\Administrative Templates\Windows Components\Windows Explorer. In the right pane, double-click "Hide these drives in 'My Computer'". Set the policy to Activated, choose "Restrict drive C: only" (or whatever drives you want to restrict).
Be careful with the next policy, "Restrict access to these drives in 'My Computer'"; not every program might work when this policy is activated.
Log on with the test user, and the "My Documents" folder should be redirected, the C: drive shouldn't be listed anymore in Windows Explorer.
Once you're sure the policies are working OK, move the rest of your users into the Users OU (or below, if you created additional OUs below the Users).

If you need to set Computer Policies, you can do it basically the same way.

You might want to install the Group Policy Management Console to ease the administration a bit.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups
http://support.microsoft.com/default.aspx?kbid=220822

Step-by-Step Guide to Understanding the Group Policy Feature Set
http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp

White Paper: Introduction to Windows 2000 Group Policy
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

White Paper: Windows 2000 Group Policy
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Windows Server 2000 Resource Kit: Chapter 4 - How Group Policy Works
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/deploy/ccmdepl/ccmch04.mspx

Windows Server 2000 Resource Kit: Chapter 22 - Group Policy
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000
http://support.microsoft.com/?kbid=315418

HOW TO: Administer GPO Properties in Windows 2000
http://support.microsoft.com/?kbid=322176
0
 

Author Comment

by:peparsons
ID: 12101025
Dear oBdA
Thank you for that incredible effort.  One question:  Were your instructions for 2003?
PEP

0
 
LVL 84

Expert Comment

by:oBdA
ID: 12101812
The articles refer mostly to Windows 2000, but the group policy processing hasn't changed for W2k3. The Group Policy Management Console will make things look completely different (but easier to manage once you've gotten used to it), but that's just the interface; the basics still remain the same.
You don't necessarily need to follow the OU construction from above; the best solution depends very strongly on your organisation. I'd stay with the security group filtering described, though, as this is (in my opinion) the easiest and most concise way to control who gets which policies applied.
One more hint:
While you're testing, you might want to refresh changed policies for the user without logging off and back on all the time.
In W2k, the command used is
secedit /refreshpolicy user_policy /enforce
(enter "secedit /?" for more help); for XP clients, it has changed to
gpupdate /target:user /force
(enter "gpupdate /? for more help).
0
 

Author Comment

by:peparsons
ID: 12102038
Thanks a lot.  That's another useful tip.
PEP
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question