[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Windows group policy

Posted on 2004-10-30
6
Medium Priority
?
368 Views
Last Modified: 2010-04-11
Hey, I have been trying to understand this windows group policy for about 2 weeks now to no avail.  I'm just gonna make
This short and sweet.  I'm totally new to group policy and I was just trying it out.  I was trying something very simple and
That did not quite work out the way I planned. I have a windows 2000 professional machine service pack 4. Not on any domain
I ran "gpedit.msc" and set the hide all desktop icons to enabled
http://img59.exs.cx/img59/5642/gp8.jpg
But the problem is ... it only works for users of the administrator group..... it does not work for say the guest user which I
Set to be a member of the "users" group, and it is the guest user I want to to work for.  Think thats about it, Like I said
I am a total newbie to group policies and I have been trying to find detailed info but I've had no success.

So how do I get this to work for the guest user?
(Can anyone point me to an ebook or something like that)
0
Comment
Question by:abacosis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 7

Expert Comment

by:shahrial
ID: 12454552
SUMMARY
This article describes how to apply local policies to all users, except administrators, on a Windows 2000-based computer that is in a workgroup setting.

MORE INFORMATION
When you use either a Windows 2000 Professional-based or Windows 2000 Server-based computer in a workgroup setting (not a domain), you may need to implement local policies on that computer that can apply to all users of that computer, but not to administrators. This exception enables the administrator to have unlimited access and control of the computer, and to be able to restrict the users that can log on to that computer.

The Windows 2000 Professional-based computer or Windows 2000-based member server must be in a workgroup setting for this procedure to work. In this situation the domain policies cannot overwrite the local policies because the domain policies do not exist. It is recommended to make backup copies of all the files that are edited.

To implement local policies to all users, except administrators:
1. Log on to the computer as an administrator.
2. Open your local security policy: Either click Start , click Run , and then type: gpedit.msc , or click Start , click Run , type: mmc , and then load the local security policy. If the removal of the run command is one of the policies that you want, it is recommended that you edit the policy by means of Microsoft Management Console (MMC), and then save the results as an icon. Then, the run command is not needed to reopen the policy. When the policy is open, expand User Configuration , expand Administrative , and then expand Templates .
3. Enable whatever policies you want (for example, Desktop for "Hide My Network Places" or "Hide Internet Explorer Icon on Desktop").

NOTE : Ensure that you select the correct policies, otherwise you may restrict the ability of the administrator to log on to the computer (and complete the necessary steps to configure the computer). It is recommended that you record what changes you have made (you can also use this information for step #10).
4. Close the Gpedit.msc Group Policy snap-in, or if you use MMC, save the console as an icon to make it accessible later, and then log off from the computer.
5. Log on to the computer as an administrator. You can observe in this logon session the policy changes that had been made earlier, as by default, the local policies apply to all users, which includes administrators.
6. Log off from the computer, and then log on to the computer as all of the other users for this computer for which you want these policies to apply to. The policies are implemented for all of these users as well as the administrator.

NOTE : Any user account that is not logged on to the computer at this step cannot have the policies implemented for that account.
7. Log on to the computer as an administrator.
8. Click Start , click Settings , click Control Panel , and then double-click Folder Options . Click the View tab, click the Show Hidden Files and Folders option, and then click OK so that you can view the Group Policy hidden folder. Or, you can access these settings if you open Windows Explorer, click Tools , and then click Folder Options .
9. Copy the Registry.pol file that is located in the %Systemroot%\System32\GroupPolicy\User\Registry.pol folder to a backup location (for example, a different hard disk, floppy disk, or folder).
10. Open your local policy again by using either the Gpedit.msc Group Policy snap-in or your MMC console icon, and then disable the exact features that had been disabled in the original policy that had been created for that computer.
11. Close your policy editor, and then take the backup Registry.pol file that had been copied in step #9 and copy it back into the %Systemroot%\System32\GroupPolicy\User folder. Copy the backup Registry.pol file over the new, existing, Registry.pol file that had been just created by disabling the same features. When you are prompted by the operating system as to whether you want to replace the existing file, click Yes .
12. Log off from the computer, and then log on to the computer as an administrator. You can observe that the changes that had been originally made are not implemented for you because you have logged on to the computer as an administrator.
13. Log off from the computer, and then log on to the computer as another user (or other users). You can observe that the changes that had been originally made are implemented for you because you have logged on to the computer as a user (not an administrator) to that computer .
14. Log on to the computer as an administrator to verify that the local policy does not affect you as the local administrator to that computer.
To reverse the process:
1. Log on to the computer as an administrator.
2. Click Start , click Settings , click Control Panel , and then double-click Folder Options . Click the View tab, click the Show Hidden Files and Folders option, and then click OK so that you can view the Group Policy hidden folder. Or, you can open Windows Explorer, click Tools , and then click Folder Options .
3. Either move, rename, or delete the Registry.pol file from the %Systemroot%\System32\GroupPolicy\User folder. Another default Registry.pol file is created by the Windows File Protection system after you log off from or restart the computer.
4. Open the local policy: Click Start , click Run , and then type: gpedit.msc , or click Start , click Run , type: mmc , and then load the local security policy. Then, set all of the items that are set to either "disable" or "enable" to "not configured" to reverse any policy changes that had been implemented to the Windows 2000 registry as specified by the Registry.pol file.
5. Log off from the computer as an administrator, and then log on the computer as an administrator.
6. Log off from the computer, and then log on the computer as all of the users on the local computer so that the changes can be reversed on their accounts as well.

...;-)    
0
 

Author Comment

by:abacosis
ID: 12454832
Ok this is gonna take me a while to read and test .... get back to ya as soon as I have done so :)
0
 

Author Comment

by:abacosis
ID: 12455855
Ok have done this ..... but it just does not work for me.... maybe there is something wrong with my installation of windows

the problem lies at steps 5 and 6

5. Log on to the computer as an administrator. You can observe in this logon session the policy changes that had been made
earlier, as by default, the local policies apply to all users, which includes administrators.

6. Log off from the computer, and then log on to the computer as all of the other users for this computer for which you want
these policies to apply to. The policies are implemented for all of these users as well as the administrator.

As for step 5 ... yes I can see that it applies to administrator ... but it also says the policy is applied to all users... this for some
Reason is not true in my case ... I log off as admin and log in as guest as suggested in step 6 and everything is still there
On the desktop (in the case of my desktop policy).... and its all downhill from there

I'll do a clean install on one of the machines here and see if that makes a difference ... this again ... may take a while
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:abacosis
ID: 12456460
Did a clean install of Windows XP with SP2... enabled the guest account and enabled the hide desktop icons group
Policy and once again ... it only worked for administrator :(
0
 
LVL 7

Accepted Solution

by:
shahrial earned 400 total points
ID: 12457027
Create a new user account and test it on that account.
Guests - Have minimal privileges. Can be renamed. but can't be deleted. The Guest account is a special default user which is best kept disabled. ...;-)
0
 

Author Comment

by:abacosis
ID: 12466514
OMG ...... I could not believe it, just test on another account . That is soooo strange ... so whats up
With the claim that group policies by default work for "allll" users

But I did notice one thing though, changing guest to be a member of the administrator group
Did make the policy take effect.  And it lost effect when I removed guest from the administrator group

Thanks a lot man
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out what's been happening in the Experts Exchange community.
What we learned in Webroot's webinar on multi-vector protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question