Group policies SBS 2003

Posted on 2004-09-19
Last Modified: 2010-06-02
When we set up our server with SBS 2003 we tried to set a policy so that all users in the domain would lose the ability to write files to the local C: drive.  Also, if they try to write to My Documents I want it to be transferred to somewhere on the server.  Things seemed relatively obvious but it did not work.  When I tried to go through a tutorial on the Microsoft website, it was too in depth for me to understand.

What I need is an example of how to go through the menus and where to make the settings so that I can enforce a policy on everyone in the domain.  I don't need an in depth appreciation of all the capabilities of system/group policies.  I just need to be able to follow a simple example as a template for how I can enforce my policies.

Does anyone know of a web page or such like that would talk me through a simple example, specifically for 2003, or would anyone care to give me an example themselves?

Thank you
Question by:peparsons
  • 2
  • 2
LVL 83

Accepted Solution

oBdA earned 500 total points
ID: 12095368
First of all, there's actually no such thing as "a simple example as a template" when it comes to group policies. If you don't know what you're doing, you might very well, very quickly, and very easily lock yourself out as well, or you might end up with a set of GPOs that apply in a fashion you can't even begin to understand anymore.
That said, if you're starting carefully, with some basic settings, you should be fine.
Try to stay away from the Default Domain Policy, at least until you know your way around group policies better.
Then, first of all, create your OU structure.
Example: Create a new top level OU in your domain. Create two additional OUs below this one, User and Computer.
Move a test user account into the User OU, a test computer account below the Computer OU.
 +-[OU] Acme
    +-[OU] User
       +-[User] Test User
    +-[OU] Computer
       +-[Computer] Test Computer

On your server, create a folder "Home", share it as Home$. Create a subdirectory with your test user's name, change the NTFS permissions to allow Full Control for Administrators, System, and the test user account.
In the test user's properties, go to the profile tab, and in the home folder section, enter H: (or whatever) as drive letter, connect to \\Server\Home$\%Username%.
Create a new global security group, named GPol-Lockdown. Make the test user member of this group.
In the User OU, create a new GPO. (Right-click OU, Properties, Group Policy, button New). Name it Lockdown. Click on the "Properties" button of the GPO, check the box "Disable Computer Configuration". Go to the Security tab, uncheck the "Read" and "Apply" permissions for Authenticated Users. Add the GPol-Lockdown group, give this group Read and Apply permissions. (This is called security filtering of group policies; it makes sure that the GPO applies only to users that you want them to apply to.) Click OK on the Properties of Lockdown dialog.
Click the Edit button in the group policy dialog.
* Redirect the "My Documents" folder:
Go to User Configuration\Windows Settings\Folder Redirection, right-click, choose Properties. Pick Standard from the drop-down box, enter \\Server\Home$\%Username%. In the Settings tab, uncheck "Exclusive permissions for the user". Pick the other settings to your liking.
* Hide the C: drive:
Go to User Configuration\Administrative Templates\Windows Components\Windows Explorer. In the right pane, double-click "Hide these drives in 'My Computer'". Set the policy to Activated, choose "Restrict drive C: only" (or whatever drives you want to restrict).
Be careful with the next policy, "Restrict access to these drives in 'My Computer'"; not every program might work when this policy is activated.
Log on with the test user, and the "My Documents" folder should be redirected, the C: drive shouldn't be listed anymore in Windows Explorer.
Once you're sure the policies are working OK, move the rest of your users into the Users OU (or below, if you created additional OUs below the Users).

If you need to set Computer Policies, you can do it basically the same way.

You might want to install the Group Policy Management Console to ease the administration a bit.
Enterprise Management with the Group Policy Management Console

Group Policy Objects Applied to Organizational Units Containing Only Groups Are Not Applied to Members of Those Groups

Step-by-Step Guide to Understanding the Group Policy Feature Set

White Paper: Introduction to Windows 2000 Group Policy

White Paper: Windows 2000 Group Policy

Windows Server 2000 Resource Kit: Chapter 4 - How Group Policy Works

Windows Server 2000 Resource Kit: Chapter 22 - Group Policy

Troubleshooting Group Policy Application Problems

HOW TO: Optimize Group Policy for Logon Performance in Windows 2000

HOW TO: Administer GPO Properties in Windows 2000

Author Comment

ID: 12101025
Dear oBdA
Thank you for that incredible effort.  One question:  Were your instructions for 2003?

LVL 83

Expert Comment

ID: 12101812
The articles refer mostly to Windows 2000, but the group policy processing hasn't changed for W2k3. The Group Policy Management Console will make things look completely different (but easier to manage once you've gotten used to it), but that's just the interface; the basics still remain the same.
You don't necessarily need to follow the OU construction from above; the best solution depends very strongly on your organisation. I'd stay with the security group filtering described, though, as this is (in my opinion) the easiest and most concise way to control who gets which policies applied.
One more hint:
While you're testing, you might want to refresh changed policies for the user without logging off and back on all the time.
In W2k, the command used is
secedit /refreshpolicy user_policy /enforce
(enter "secedit /?" for more help); for XP clients, it has changed to
gpupdate /target:user /force
(enter "gpupdate /? for more help).

Author Comment

ID: 12102038
Thanks a lot.  That's another useful tip.

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now