OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Glenn Pearl (glennlantec.net)
Date: Thu Oct 04 2001 - 13:25:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I had the same situation with a school - about 35 client systems.
    Unfortunately, without Active Directory, you cannot set policies on a per
    user basis; only per machine.

    Here's how I did it:
    It got a little tricky, but what we did was take 2 Win2kPro systems in the
    domain, left 1 logged off and logged on the other as Domain Admin. I mapped
    a drive letter (say, Q:) to the admin share (c$) of the second system,
    browsed to Q:\Winnt\system32\Group Policy folder and made a backup copy of
    it. I then opened MMC and added the Group Policy Snap-in, but selected that
    2nd machine instead of the local.

    I went through and made whatever lock-down settings I needed. Then I saved
    off the modified Group Policy folder (from Q:) to a secure server share. I
    set the permissions on Q:\winnt\system32\group policy to Deny local
    Administrators group all access (except 'Take Ownership'). This is
    important so that the restrictive policies are not applied when the
    Administrators log on to the machine, but they will be applied whenever a
    regular User logs on.

    -----Original Message-----
    From: s.leyerssubdimension.com [mailto:s.leyerssubdimension.com]
    Sent: Thursday, October 04, 2001 4:06 AM
    To: focus-mssecurityfocus.com
    Subject: Group policy W2k Pro / NT4 Pdc

    Hi all,

    Second question, another client request:

    They have a NT4 Domain with W2K pro clients.
    They want to restrict users to use only a few standard applications (word,
    excel, outlook, ... )

    While using NT4 workstations that wasn't a problem thanks to 'poledit' on
    the PDC.

    Now w2k clients just don't care about the NTconfig.pol in the \\PDC\netlogon
    share.
    I've search the MS support website and made a few registry changes (network
    path to Netlogon share and so on)

    But it doesn't solve my problem.

    Any hints ? beside upgrading the servers to W2k :)

    Thanks all.

    _____________________________________________________________________
    This message has been checked for all known viruses by the
    MessageLabs Virus Scanning Service. For further information visit
    http://www.messagelabs.com/stats.asp