Re: Group Policy????

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/27/05 

Date: Mon, 27 Jun 2005 07:48:11 -0700

You have some great info already in Slav's and Steve's posts.

You need to read up some as Steve suggested before taking this
to the GP newsgroup so that you can state your requirements more
precisely when you do.

While you can do everything (and more) with group policy from AD
that you can do with local security policy, there are some limitations.
The main one that seems to show up in your requirements is that you
want to make some settings unique to each machine, like only the
"Owner" (whatever that is) of each machine may use that machine.
Group policy is not good at setting things in this way to one machine,
that way to a different machine, and yet another way for a third.
Here, every machine would need to have a different setting for the
Log on locally policy - which implies that you would need to define
a different GPO for each machine to deliver this machine unique
settings. While this can be done, and this might not be so bad in a
small environment, it is not tenable in a larger one. There are third
party extensions for group policy that are of use when such "fine
tuning" is needed. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"udi via WinServerKB.com" <forum@WinServerKB.com> wrote in message
news:506BDE30F5A10@WinServerKB.com...
> I have 1 Windows 2003 Ent. Server (Domain) and 60 Windowxp professional
> client.
> I want to implement Group Policy in our Domain Environment.
> Also I want to implement Local Policy on Every Client Machine.
>
> I want to apply following restriction in our Domain.
> 1) Nobody's Logon to Local Machine
> 2) Restrict all the Local System Resource except Owner of machine.
> 3) Nobodys access local machine from network
> 4) Restrict Operating System Drive on every client machine.
>
> Group Policy Object.
> 1) Restrict Software installaltion for user
> 2) Restrict some network sources.
>
> Can anybodys help me on this, also suggest any other activities restrict
> through Group Policy as well as Local Machine Group Policy.
>
> Please guide me step by step..I so can easily implement in our domain
> environment.
>
> Regards
> Udi
>
>
> -- 
> Message posted via WinServerKB.com
>
http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200506/1

Relevant Pages

  • Re: Prevent to use Network Neighbourhood,Clock,Printer,etc.
    ... Windows 2000 workstation. ... Having said that you can restrict or "hide" much ... of influence of the Group Policy if you configure it at other than domain ... User could not be able to change any Printer settings. ...
    (microsoft.public.win2000.security)
  • Re: Group Policy???
    ... > I want to implement Group Policy in our Domain Environment. ... > Also I want to implement Local Policy on Every Client Machine. ... > 1) Nobody's Logon to Local Machine ... > 2) Restrict all the Local System Resource except Owner of machine. ...
    (microsoft.public.windows.server.general)
  • Re: Group Policy????
    ... Use domain/OU policies - they override local policies, ... > I want to implement Group Policy in our Domain Environment. ... > 1) Nobody's Logon to Local Machine ... > 2) Restrict all the Local System Resource except Owner of machine. ...
    (microsoft.public.windows.server.security)
  • RE: Disabling sharing and group policies
    ... user on an active directory domain cannot change group policy objects. ... Linux, hash the repair dir...etc), log on to local machine as administrator ... policies are not an iron clad security measure. ... Download a FREE whitepaper on Security Policy Automation for Web Applications. ...
    (Focus-Microsoft)
  • Re: Group Policy???
    ... > I want to implement Group Policy in our Domain Environment. ... > Also I want to implement Local Policy on Every Client Machine. ... > 1) Nobody's Logon to Local Machine ... > 2) Restrict all the Local System Resource except Owner of machine. ...
    (microsoft.public.windows.server.active_directory)