Re: Group Policy

Yba <Yba@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanks
Your input was valueable and highly appreciated.

Regards
Yahya

You're most welcome, and best o' luck.


"Lanwench [MVP - Exchange]" wrote:

yba02 <yba02@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
There an application on the TS box. Using Citrix, that application
is published to users. Because it is the sole window to the outside
world, I see no other way of publishing a shared folder on that same
box.

What's in the shared folder that the users need, and why does it
make a difference if it's on the same server or is a network drive
visible to the users within the application? I don't know Citrix,
but I'm puzzled.

Also, if we neglect that application, I need to make sure that
users will never be able to tamper with content of OS folders and
files.

I suggest you post this in m.p.windows.terminal_services for the
most help.

Basics: you should be running Terminal Services on a dedicated
member server with *no* other roles on the network. It should be set
up in its own OU, with a policy specifically for TS (including
loopback processing so that all users who log in get the same
settings, regardless of their own inherited user policy settings).

See KB 278295 for some good lockdown suggestions. Also see MVP
Patrick Rouse's articles at
http://www.sessioncomputing.com/articles.htm



I'm grateful to your contribution and would like to hear your
suggestions on how to perform that.

Thanks
Yahya

"Lanwench [MVP - Exchange]" wrote:

yba02 <yba02@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
Doing that was excellent. However, I faced a little problem that
needs some workaround.
The TS I want to dispense to users has 2 drives, to which I want
to prevent access. However, I still have to offer the users a
shared folder on either drive.

I'm not sure what that means. Why would you have any data on the TS
box anyway? Your data should be on a file server - the TS box
should be nothing but a terminal server, with no other roles on
the network.


I'm still scratching my head till now.

Thanks
Yahya

"Lanwench [MVP - Exchange]" wrote:

yba02 <yba02@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
AD stands for Active Directory, a Windows server infrastructure
where a collection of PCs and servers are controlled from a
single point.

As a matter of fact Lanwench, I should have posted this inquiry
in Windows Server group, as I was actually talking about AD
environment. With AD in effect, how to do that? I tried it on a
member server's GP but it did not allow for user groups
exclusions. Do I have to do it on the DC domain policy
management console?

You can edit domain policies from a member server (or a
workstation, even) if you're using an account with sufficient
permissions - I'd use GPMC.

You can use the "deny" checkbox in "apply group policy" for stuff
that shouldn't apply to administrators. That would be useful if
you had, say, a Terminal Server or kiosk machine, and had
policies linked to its OU with loopback processing enabled - so
that all users would get the same settings on that box.

Or, if this isn't a Terminal Services or kiosk box, it would be
better to put your users & computers in different OUs, so that
you can link a "user" policy to your domain user OU (or
department OU or whatnot), and it wouldn't affect your
administrators.


Thanks
Yahya

"Lanwench [MVP - Exchange]" wrote:

Twayne <nobody@xxxxxxxxxxxxxxxxxxx> wrote:
yba02 <yba02@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
Running Windows XP SP2.
Is there a way where I can apply group policy
on some users and
exclude other users, such as administrators?
Example, I need to
restrict access to all hard disks on the
machine on members of the
"users" group, while members of
"administrators" group can still
access those HD's.

Any input is highly appreciated.

Thanks
Yahya

Not without AD. In standalone XP & 2k, local
policies are per
machine, not per user. Check out Windows Steady
State or Doug Knox's
XP Security Console (google it) for options.

But it could be done by assigning the users to
user groups, could it not? Some admin, some power
users, etc.? Admins will have access to all, and
others limited as the programmer prefers, right?

What do you mean by "AD"?

Twayne

AD = Active Directory.

Without AD in use, you can't use policies unless you want them
to affect all users per machine - group membership has nothing
to do with it. The word "group" in "group policy" frequently
confuses people :-)



.

Relevant Pages

  • Re: administrator locked out of SBS 2003
    ... Restriction Policies node and select New Software Restriction Policy ... Select "All users except local administrators" ... This is a known issue when installing VMware server 2.0, ... the installation kept ...
    (microsoft.public.windows.server.sbs)
  • RE: Installing Software and Permissions
    ... MCSE, CCEA, Microsoft MVP - Terminal Server ... member of Domain Admins... ... until user1 was added directly to the TS Servers Local Admins ... Server - Administrators 6) All in all the Local Administrators ...
    (microsoft.public.windows.terminal_services)
  • Re: administrator locked out of SBS 2003
    ... This is a known issue when installing VMware server 2.0, ... Deleting a policy does not necessarily undo the settings that were ... selected "applies to all users except administrators" That allowed ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy
    ... Windows Server group, as I was actually talking about AD environment. ... You can edit domain policies from a member server ... shouldn't apply to administrators. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: administrator locked out of SBS 2003
    ... The Domain Admins group was a member of the Remote Operators ... My suspicion is that the policy change 'tattooed' the ... Select "All users except local administrators" ... That allowed the installation of VMware server to complete. ...
    (microsoft.public.windows.server.sbs)
Quantcast