Deploying Group Policy to Multiple PCs

[ignotiev]

I run a small computer lab of 10 laptops using Windows 7 x64 Enterprise edition. In order to prevent users from changing the settings, I have created a Group Policy Object that restricts access to the Control Panels, among other things.

When I built the GPO just the way I need it, I found out that I couldn't transfer the object. The new computer simply does not have the permissions to use the object and I haven't been able to figure out a work around. My research suggests that this problem is usually solved by enforcing group policy through use of Server 2008, an option I don't have.

Does anyone know of a way I can transfer Group Policy made on one computer to another without manually rebuilding it?

 

[IndyColtsFan]

I run a small computer lab of 10 laptops using Windows 7 x64 Enterprise edition. In order to prevent users from changing the settings, I have created a Group Policy Object that restricts access to the Control Panels, among other things.

When I built the GPO just the way I need it, I found out that I couldn't transfer the object. The new computer simply does not have the permissions to use the object and I haven't been able to figure out a work around. My research suggests that this problem is usually solved by enforcing group policy through use of Server 2008, an option I don't have.

Does anyone know of a way I can transfer Group Policy made on one computer to another without manually rebuilding it?

Typically, most of the group policy changes correspond to registry settings so you could potentially use a reg scanner to do a before/after scan and capture the changes to apply to other PCs.

Otherwise, can you just make a master image from the system and reimage the other systems? There might be another way to do it but I've always been in enterprise environments and used a server.

 

[RebateMonger]

Afraid I don't know much about applying policies to individual computers. Just in case you aren't aware of it, though, you can get a complete Dell T110 with Server 2008 R2 Foundation Server pre-installed, for about $800. That includes licenses for fifteen users. This can be a Domain Controller and can do about everything that "full" Windows Server 2008 can do except for Virtualization. It'd make applying Group Policies and other PC management tasks much easier.

 

[stlcardinals]

I just did some quick googling on this so i can't vouch if it works. Apparently you can copy the contents of c:\WINDOWS\system32\GroupPolicy to the other computers.

 

[snikt]

I just did some quick googling on this so i can't vouch if it works. Apparently you can copy the contents of c:\WINDOWS\system32\GroupPolicy to the other computers.

This will work. You will need to unhide files and folders in order to see the Group Policy folder on both the source machine and target machines. After you copy the Group Policy folder reboot and you'll be good to go. It will be a hassle when you need to do administrative stuff on the boxes if the GPs are really restrictive.

We used to lock down our boxes that were accessible to the public and not on our domain this way, now we just use Microsoft's SteadyState, which works great.

 

[stlcardinals]

Yeah, but they have no intentions of porting SteadyState to Windows 7.

 

[ignotiev]

I just did some quick googling on this so i can't vouch if it works. Apparently you can copy the contents of c:\WINDOWS\system32\GroupPolicy to the other computers.

I tried this with no success.

I think I might be using the wrong jargon. What I have done is created a Microsoft Common Console Document (.msc) with the Microsoft Management Console and used the Group Policy Object snap in. I have set this to apply to a particular user and then edited the settings under "Administrative Templates".

When I try to open this file on another computer, I get the error "Failed to open the Group Policy Object on this computer. You may not have appropriate rights." The details read, "No mapping between account names and security IDs was done".

The back story to my problem is that I created an image where the .msc file worked. I sysprepped the image before I cloned it which seems to be the problem. Sysprep seems to delete information related to the permission governing access to the file.

 

[Tsaico]

In my lab setups, I have deep freeze. It is a utility that allows me to setup a configuration that I like, apply it, then "freeze" the installation. Once this is done, just a reboot causes everything to be lost and revert back to the origional setup. Works well in situations where there is a regular user that comes back to a particular station and does not have cumulative work to do. (or if they undertand they need to save their work on a external drive.)
http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeKeyFeatures.aspx
is the product sheet. It is failry cheap too. With just a few machines, the standard should be fine, but if you have more or anticipate growing more, I woudl recommend teh enterprise edition, allows you to lock and unlock the machines by name unlock them all at the same time, really a handy utility.

They also have some other utilites that would work great in classroom and lab style setups, like Insight and the Igloo.