Need some help with Group Policies in Win2KPro here...

[Sukhoi]

I would like to have several users on my computer all with different levels of access. I understand this can be done by using the Group Policies snap-in in the MMC program. Correct?

I can get the Group Policies thing loaded, and even find what I want to change (what loads on the start menu, etc.). However, how do I pick what different kinds of users these policies affect? In the Group Policies snap-in I only see "User Configuration" and nothing relating to the different kinds of users (meaning Power User, Guest, User, etc.) that I want to have.

So how do I set different levels of access for different users? Thanks!

 

[RaySun2Be]

I normally use the Users & Passwords found in the Control Panel.

Open, then go to advanced features tab, then Advanced User Management button. Create the groups you want (There are default ones, admin, power users, users), define the group security settings.

Then create the users, (right click on Users) and as part of their properties, define what group(s) they belong to.

I would recommend using the default groups at first, or at least verifying that those groups provide what you need, then refine security and access requirements from there.

 

[Sukhoi]

Hmm, I'm following everything you have there, except for the part about "define the group security settings." How do I get there? I don't see anything about security settings on any right-click menus or anywhere else.

 

[RaySun2Be]

Ah. I believe you set what group has access to what functions in the Local Security Settings process, found in Control Panel, Administrative Tools.

Local Policies, User Rights Assignment.

But I still would recommend using the existing security groups first to see if they provide the security levels you need. If not, then create a Group and define it's access in Local Security Policies.



Lots of good reading on the Microsoft site.

Or go to the Groups and press F1 and use the Win2K Help facility.

 

[Sukhoi]

Yeah, I've been trying to use help and microsoft.com, but most of the stuff is too advanced for my little knowledge of Win2K advanced features.

Unfortunately that security screen doesn't really do what I need it to.

Ray, if you're at a Win2KPro computer, please do Start -> Run -> MMC, then Console -> Add/Remove Snap-In -> add the Group Policies snap-in. Now go to User Configuration -> Administrative Templates -> Start Menu & Taskbar. See how in there how you can remove things from the Start Menu and do those sorts of things? Now my main problem is I don't understand when I change one of those settings how I tell Win2K which type of user to apply it to. IE I might only want to turn off part of the Start Menu for Users, but not Power Users.

 

[RaySun2Be]

Ah, now you're getting in deeper than I've had a need to go yet.

I would suggest going to the Group Policy area and using Help.

 

[Sukhoi]

Thanks for trying to help.

I've tried using help in there, but I still can't figure out what the heck determines what groups/users these settings affect. I'll take a look through help again tonight incase I missed something the first time.

 

[CADsortaGUY]

Now I see what you are talking about. I haven't had to use this yet but I'm sure I'll figure it out - but I'm sure someone will answer before I find the solution.

I'm on it

CADkindaGUY

 

[Sukhoi]

I'm on it

I like the sound of that!

Right now I'm looking through Google to see if I can find any tutorials on Group Policies.

 

[Robor]

Aren't there a few "templates" that you can set for security levels on users? I'm on XP at home now and I'm too tired to go rooting through the mmc right now. I think I remember some generic templates for security levels though.

 

[CADsortaGUY]

So what you are trying to do is set different access levels for different "groups" of users?

IE for a limited user you want alot of stuff disabled but a "good" user to have some but not all of the "Power User" access?

I think I have it licked for you but I need to make sure I know what you are trying to do

CADkindaGUY

 

[Sukhoi]

Originally posted by: CADkindaGUY
So what you are trying to do is set different access levels for different "groups" of users?

IE for a limited user you want alot of stuff disabled but a "good" user to have some but not all of the "Power User" access?

I think I have it licked for you but I need to make sure I know what you are trying to do

CADkindaGUY

Yep, that's exactly what I need! I want to make a very basic account for my friends that will pretty much only let them go online and run basic programs. Then maybe a slightly higher account for real close friends that would let them get into the control panel, etc. Then I'll have my normal power user account with basically no restrictions.

 

[Sukhoi]

Hmm, check out slides 8 to 13 or so of this Microsoft PowerPoint file. Looks like I assign who the policy affects in that Active Directory screen. Since I have no experience with AD, how would I get to that screen, and would the different users of one computer all show up on that screen? Or would just the computer itself show up?

 

[CADsortaGUY]

Boy - looks like AD is a domain level type thing. Basically from what I've read while trying to access/install the Active Directory is that you need a domain controller(win2k sever) to set Active Directory settings.

Hopefully I'm wrong but looks like unless your computer is part of a domain then you are SOL:disgust:

I'm still on it - I have a need for this access/configuration control also but never got around to finding out how to implement it.

Just a comment/question - Didn't I hear somewhere that WinXP has user level configurations that use Active directory available on standalone machines?

CADkindaGUY

 

[CADsortaGUY]

Definition of Active Directory in the "help"

files.

The directory service included with Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects.

I guess this is not possible:disgust: unless a "server" is setup.

Edit - Also found this "Before you can use Active Directory, it must be installed on domain controllers in your network and tailored for your organization. "

Micro$oft strikes again

:disgust:

CADkindaGUY

 

[Sukhoi]

Dang it. :| So without having Win2K Server running somewhere there's no way for me to customize my computer? It makes no sense.

We need profiles like NT has.

 

[CADsortaGUY]

well, you can still limit users by assigning them "permissions" like Ray said but I guess you can't do the indepth stuff without having AD.

I'm still going to look for a different "fix" but I not getting my hopes up

CADkindaGUY

 

[Sukhoi]

Yeah, it doesn't look like what we want to do is possible.

Thanks for trying to help guys!

 

[Woodchuck2000]

I guess this is not possible unless a "server" is setup.

Edit - Also found this "Before you can use Active Directory, it must be installed on domain controllers in your network and tailored for your organization. "

Micro$oft strikes again

Whatever OS you're running, you can't have a domain without a server of some kind. The kind of customisation of which you speak is most commonly used when administering a large group of computers and therefore most of the documentation available tells you how to do it at the domain level rather than the local PC level.

There are a number of ways of customising the local security policies to allow different users different levels of access. I'm sitting in front of an XP box at the moment so I can't talk you through the Win2K Process. If you tell me exactly what you need to configure I'll tell you how.

 

[Woodchuck2000]

Btw, every local user in Win2K still has a profile like in NT. They're all stored in %systemdrive%\documents and settings\ (by default)

 

[Sukhoi]

Hmm, this sounds interesting. I'll be very happy if we can get it to work. Here's an example of what I want to do.

Make a user called Joe. I don't trust Joe, so I want to disable just about everything (Start Menu, stuff on the desktop, etc.) so Joe can pretty much only go online.

Now I want another user called John. John is more trustworthy than Joe, so while I will still have many restrictions (no Control Panel accessability, etc.) on John, he will be able to use most of the programs on the Start Menu, but won't be able to access any of the hard drives through Windows to look at the files there.

Is that a good enough example of what I want to do? Thanks for the help!

 

[mikecel79]

Without Active Directory you can't use Group Policy. Group Policy is for configuring and restricting permissions on a wide basis over many computers. It's a very powerful tool and you can lock down the security of a Win2k or WinXP Pro machine very effectively with it. Without a Win2k Server running AD you won't be able to do anything with Group Policies. Group Policies can be assigned to a Group of Users, Computers, Printers, etc.

You can define a Local Security Policy but this will apply to the entire machine and it's not as powerful as Group Policy. There are selected Rights in there that you can assign or remove from certain users or groups. But like I said it's not as powerful as Group Policy. You have to be careful there too cause you can really screw up your machine that way (including stopping yourself from not being able to login). I suggest you do some reading on TechNet at Microsoft's Site. They have tons of information on this.

Mike

 

[GunDog]

Give this a try.. Win2k How to's

 

[Sukhoi]

Originally posted by: mikecel79
Without Active Directory you can't use Group Policy. Group Policy is for configuring and restricting permissions on a wide basis over many computers. It's a very powerful tool and you can lock down the security of a Win2k or WinXP Pro machine very effectively with it. Without a Win2k Server running AD you won't be able to do anything with Group Policies. Group Policies can be assigned to a Group of Users, Computers, Printers, etc.

You can define a Local Security Policy but this will apply to the entire machine and it's not as powerful as Group Policy. There are selected Rights in there that you can assign or remove from certain users or groups. But like I said it's not as powerful as Group Policy. You have to be careful there too cause you can really screw up your machine that way (including stopping yourself from not being able to login). I suggest you do some reading on TechNet at Microsoft's Site. They have tons of information on this.

Mike

Yep, some of that stuff in the Local Security Policy looked like it could be quite a problem if you enabled it by accident.

GunDog, thanks for that link as I've never seen that part of Microsoft's site before.

 

[DAM]

Without having AD you can not have more than 2 group policies. One will be the admin (full access) policy and the other one will be the restricted one, and everyone will fall under the restricted one. I have researched this a lot and that is all I could find. If you do not trust someone make them users, your close friends super users, and make your brother an adminitrator. Other than that, thats all you can do. PM if you have any other questions.




dam()