Group policies SBS 2003

When we set up our server with SBS 2003 we tried to set a policy so that all users in the domain would lose the ability to write files to the local C: drive.  Also, if they try to write to My Documents I want it to be transferred to somewhere on the server.  Things seemed relatively obvious but it did not work.  When I tried to go through a tutorial on the Microsoft website, it was too in depth for me to understand.

What I need is an example of how to go through the menus and where to make the settings so that I can enforce a policy on everyone in the domain.  I don't need an in depth appreciation of all the capabilities of system/group policies.  I just need to be able to follow a simple example as a template for how I can enforce my policies.

Does anyone know of a web page or such like that would talk me through a simple example, specifically for 2003, or would anyone care to give me an example themselves?

Thank you
Who is Participating?

Improve company productivity with a Business Account.Sign Up

oBdAConnect With a Mentor Commented:
First of all, there's actually no such thing as "a simple example as a template" when it comes to group policies. If you don't know what you're doing, you might very well, very quickly, and very easily lock yourself out as well, or you might end up with a set of GPOs that apply in a fashion you can't even begin to understand anymore.
That said, if you're starting carefully, with some basic settings, you should be fine.
Try to stay away from the Default Domain Policy, at least until you know your way around group policies better.
Then, first of all, create your OU structure.
Example: Create a new top level OU in your domain. Create two additional OUs below this one, User and Computer.
Move a test user account into the User OU, a test computer account below the Computer OU.
 +-[OU] Acme
    +-[OU] User
       +-[User] Test User
    +-[OU] Computer
       +-[Computer] Test Computer

On your server, create a folder "Home", share it as Home$. Create a subdirectory with your test user's name, change the NTFS permissions to allow Full Control for Administrators, System, and the test user account.
In the test user's properties, go to the profile tab, and in the home folder section, enter H: (or whatever) as drive letter, connect to \\Server\Home$\%Username%.
Create a new global security group, named GPol-Lockdown. Make the test user member of this group.
In the User OU, create a new GPO. (Right-click OU, Properties, Group Policy, button New). Name it Lockdown. Click on the "Properties" button of the GPO, check the box "Disable Computer Configuration". Go to the Security tab, uncheck the "Read" and "Apply" permissions for Authenticated Users. Add the GPol-Lockdown group, give this group Read and Apply permissions. (This is called security filtering of group policies; it makes sure that the GPO applies only to users that you want them to apply to.) Click OK on the Properties of Lockdown dialog.
Click the Edit button in the group policy dialog.
* Redirect the "My Documents" folder:
Go to User Configuration\Windows Settings\Folder Redirection, right-click, choose Properties. Pick Standard from the drop-down box, enter \\Server\Home$\%Username%. In the Settings tab, uncheck "Exclusive permissions for the user". Pick the other settings to your liking.
* Hide the C: drive:
Go to User Configuration\Administrative Templates\Windows Components\Windows Explorer. In the right pane, double-click "Hide these drives in 'My Computer'". Set the policy to Activated, choose "Restrict drive C: only" (or whatever drives you want to restrict).
Be careful with the next policy, "Restrict access to these drives in 'My Computer'"; not every program might work when this policy is activated.
Log on with the test user, and the "My Documents" folder should be redirected, the C: drive shouldn't be listed anymore in Windows Explorer.
Once you're sure the policies are working OK, move the rest of your users into the Users OU (or below, if you created additional OUs below the Users).

If you need to set Computer Policies, you can do it basically the same way.

You might want to install the Group Policy Management Console to ease the administration a bit.
Enterprise Management with the Group Policy Management Console

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups

Step-by-Step Guide to Understanding the Group Policy Feature Set

White Paper: Introduction to Windows 2000 Group Policy

White Paper: Windows 2000 Group Policy

Windows Server 2000 Resource Kit: Chapter 4 - How Group Policy Works

Windows Server 2000 Resource Kit: Chapter 22 - Group Policy

Troubleshooting Group Policy Application Problems

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000

HOW TO: Administer GPO Properties in Windows 2000
peparsonsAuthor Commented:
Dear oBdA
Thank you for that incredible effort.  One question:  Were your instructions for 2003?

The articles refer mostly to Windows 2000, but the group policy processing hasn't changed for W2k3. The Group Policy Management Console will make things look completely different (but easier to manage once you've gotten used to it), but that's just the interface; the basics still remain the same.
You don't necessarily need to follow the OU construction from above; the best solution depends very strongly on your organisation. I'd stay with the security group filtering described, though, as this is (in my opinion) the easiest and most concise way to control who gets which policies applied.
One more hint:
While you're testing, you might want to refresh changed policies for the user without logging off and back on all the time.
In W2k, the command used is
secedit /refreshpolicy user_policy /enforce
(enter "secedit /?" for more help); for XP clients, it has changed to
gpupdate /target:user /force
(enter "gpupdate /? for more help).
peparsonsAuthor Commented:
Thanks a lot.  That's another useful tip.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.