Re: How to apply different Group Policies to different users on standalone Windows XP pro machine

From: David Jones (kk7gw@yahoo.com)
Date: 11/16/02 

From: "David Jones" <kk7gw@yahoo.com>
Date: Sat, 16 Nov 2002 13:59:30 -0800

I'm not guessing, I'm telling you what you can do with
the parameters you've laid out.

It isn't exactly what you want, because it isn't possible
to do this via group policy with what you've mentioned.
Use NTFS, create user groups for each of the groups you
mention.

Go find each thing you want/don't want each group to
access, and deny or allow access to each using NTFS
permissions. Deny access will trump any allow access
ACE's set, if someone is in more than one group.

You can deny control.exe if you don't want Control panel
access, for example, or deny just appwiz.cpl if you want
to deny access to Add/Remove Programs.

You can do the same thing on hives or keys in the
registry.

You can deny access to GP settings by denying permissions
on gpedit.msc, etc. See where I'm going with this?

No, it isn't easy in this setup. It's much easier in a
domain environment because you can limited machines to
only allow domain users the ability to log on, and even
allow only certain domain users or groups the ability to
log on to only certain machines at certain times, etc.

You CAN specify individual policies for each domain user
or group in a domain environment, you can even set
individual policies per machine on the domain. You CAN'T
set per-user policies on a standalone machine.

With a standalone machine, the closest you can get to
what you're talking about is a combination of various
NTFS allow/deny permissions on objects you want to
control, registry permissions on hives and keys you want
to control, etc.

Sure, that could be automated. No, I don't know of any
products that would do it. There are ways to develop an
app/service that would flip various permissions and
policies based on what user logs on, but telling someone
how to design and develop a service like this step-by-
step is not very suited for a newsgroup.

I'm sorry I can't just tell you one magic button to
press. There are plenty of resources such as books,
TechNet, MSDN, etc that can explain to you what you can
and can't do in this configuration. You can also hire
consultants to take a look at your exact problem and give
you a ready-to-go solution.

Domain policies WILL be stored locally on each domain
machine as far as certain configurations go, but most of
the per-user stuff requires access to a domain controller
on each user logon.

Any good book on Windows 2000 Server will tell you how it
works.

This isn't me guessing about anything. Go find the info
you need. It's out there. What I've mentioned is the
route you can go if you need totally standalone
machines. That's security as a concept. You gave a
configration, that's the solution with standalone
machines and lots of different groups.

>-----Original Message-----
>I am talking about security as a concept, not "NTFS
security", so please
>read my post carefully, before you post a solution, I
believe I am specific
>enough to understand the problem that I have. Please, no
guesses, just
>solutions.
>
>
>.
>

Relevant Pages

  • Re: Aftermath of RDIRCMP.EXE?
    ... We are going to try creating a new OU, putting the machines in there, ... with Deny Read and Deny Apply Group Policy permissions on the Default Domain ... Ok, check the policy settings that you want (as I already said, some ... policies only work at domain level, ...
    (microsoft.public.windows.server.active_directory)
  • Policies not applying
    ... I am having problems getting policies applied to apply on my branch machines. ... I think the problem is slow link. ...
    (microsoft.public.win2000.group_policy)
  • Re: restricting software installation
    ... How would I go about setting up an OU and will that new OU disrupt my SBS ... > native state as per initial install, then just making the domain users ... > their install capabilities. ... > the OU that holds the real client machines. ...
    (microsoft.public.windows.server.security)
  • Re: Local policy overriding domain policy
    ... So you say there are several machines that this is happening to, ... are processing group policies successfully regardless of which ones are ... Maybe these machines are not even receiving the proper policies in the ... the logs to see where the settings are/ or not applying. ...
    (microsoft.public.windows.group_policy)
  • Question about Group Policies in XP.
    ... I'm not an expert with group policies but would like to use it more. ... trying to set up five machines with a local group policy but have screwed up ...
    (microsoft.public.windowsxp.security_admin)