Re: Group Policy

Doing that was excellent. However, I faced a little problem that needs some
The TS I want to dispense to users has 2 drives, to which I want to prevent
access. However, I still have to offer the users a shared folder on either
drive. I'm still scratching my head till now.


"Lanwench [MVP - Exchange]" wrote:

yba02 <yba02@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
AD stands for Active Directory, a Windows server infrastructure where
a collection of PCs and servers are controlled from a single point.

As a matter of fact Lanwench, I should have posted this inquiry in
Windows Server group, as I was actually talking about AD environment.
With AD in effect, how to do that? I tried it on a member server's
GP but it did not allow for user groups exclusions. Do I have to do
it on the DC domain policy management console?

You can edit domain policies from a member server (or a workstation, even)
if you're using an account with sufficient permissions - I'd use GPMC.

You can use the "deny" checkbox in "apply group policy" for stuff that
shouldn't apply to administrators. That would be useful if you had, say, a
Terminal Server or kiosk machine, and had policies linked to its OU with
loopback processing enabled - so that all users would get the same settings
on that box.

Or, if this isn't a Terminal Services or kiosk box, it would be better to
put your users & computers in different OUs, so that you can link a "user"
policy to your domain user OU (or department OU or whatnot), and it wouldn't
affect your administrators.


"Lanwench [MVP - Exchange]" wrote:

Twayne <nobody@xxxxxxxxxxxxxxxxxxx> wrote:
yba02 <yba02@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Running Windows XP SP2.
Is there a way where I can apply group policy
on some users and
exclude other users, such as administrators?
Example, I need to
restrict access to all hard disks on the
machine on members of the
"users" group, while members of
"administrators" group can still
access those HD's.

Any input is highly appreciated.


Not without AD. In standalone XP & 2k, local
policies are per
machine, not per user. Check out Windows Steady
State or Doug Knox's
XP Security Console (google it) for options.

But it could be done by assigning the users to
user groups, could it not? Some admin, some power
users, etc.? Admins will have access to all, and
others limited as the programmer prefers, right?

What do you mean by "AD"?


AD = Active Directory.

Without AD in use, you can't use policies unless you want them to
affect all users per machine - group membership has nothing to do
with it. The word "group" in "group policy" frequently confuses
people :-)


Relevant Pages

  • RE: Installing Software and Permissions
    ... MCSE, CCEA, Microsoft MVP - Terminal Server ... member of Domain Admins... ... until user1 was added directly to the TS Servers Local Admins ... Server - Administrators 6) All in all the Local Administrators ...
  • Re: Group Policy
    ... Your data should be on a file server - the TS box should be nothing ... You can edit domain policies from a member server (or a workstation, ... and it wouldn't affect your administrators. ...
  • Re: Administrator cant change security
    ... administrators group on the domain member can configure permissions on any ... computers can not reliably contact a domain controller. ... I'm signing on as Administrator on a second Windows 2003 server that is ...
  • Re: Does not permit login interactively
    ... administrators listed in the logon locally user right and have the deny logon locally ... If you can logon to a domain member computer as a domain administrator, ... adminpak on that computer from the install cdrom for Windows 2000 Server in the /I386 ... Security Policy to configure logon locally user right to have the administrators ...
  • Re: Group Policy
    ... Windows Server group, as I was actually talking about AD environment. ... You can edit domain policies from a member server ... shouldn't apply to administrators. ...