run > gpedit
the question and queries below are for server 2003, standalone (workgroup), iis6.
cannot for the life of me figure out how to set different policies for each separate user that logs on.
i will be using the administrative templates under "local computer policy".
i want to be able to set the desktop with minimal icons, remove or restrict what they can do.
so my question is: how do i go about giving a user a policy that i set??
I do hope it can be done.
please explain in detail.
run > gpedit
If these are standalone computers how do many people log on? Do you have several local users on each PC?
If you don't want to go the Domain route; have user accounts and computer accounts that you can assign policies to as you'd like, I'd recommend MSs Steady State.
With that you can lock down the machine very well, to chosen local users.
Thanks to you all for your immediate advice.
I will answer you individually:
Mark: what you suggested (steadystate) is something i have not heard of before. i read the information and it is exactly what i want, to be able to lock down individual user accounts dependent on their security risk. BUT it will not run for server 2003. a pity as it seemed perfect.
the number of people accessing is about 12; one administrator which can see everything and users which i want to severely restrict what they can see and do. hence i need to be able to do this using individual or group policy. if i do this using account policies with administrative or computer policy then it effects everybody, including the administrator. thats why i want to apply separate policies (groups or users).
using "gpedit", this sets policies for everybody, including administrator. then i would not be able to administrate the computer.
please keep your advice coming as i really need to crack this.
thank you J
Well Steady State is for workstations only - you asked for a standalone lockdown solution - ie not connected to a 2003 domain - and that's it.
In Active directory to create seperate policies to apply to different configurations. According to Microsoft you set up your AD structure to mirror your staffing structure.
What you get is exactly what you see in Steady State - just not so pwetty
To use Active Directory your PCs have to be on the domain, and not part of a workgroup - I think is the fundamental problem. Go ask for training on 2003 Domain administration.
To explain, maybe the way i explained the setup you miss understood.
the computer is a standalone, meaning, is not in a domain, not a domain controller, is just a computer running server 2003.
users logon to this, and i want them just to see what i want them to see. as an example: if i were to empty the desktop of everyhting and just place a shortcut to a directory somewhere on the computer, which would let them see files located there, this is the only thing they could see; and could alter nothing.
i realise i could do what i wanted using active directory, but this is not installed for various reasons, mainly as the computer has nothing to do with domains.
you mentioned it being a workstation, well not exactly. a workstation for me, but the others connect from the network. its a server, on a network (workgroup)where users connect using terminal services. so when the user is authenticated a policy comes into place giving them the desktop view and restrictions i have set.
hope that helps.
i have tried messing around with registry.pol file and it will not work.
am sure the answer is very simple.
So the machine is setup as a terminal server, and you want to lock down terminal server users, on an individual basis, without Active Directory.
Simple shortcuts to the desktop kind of customisation is just a matter of editing the users home area under documents and settings > user name. Findthe desktop folder to customise it.
The All user and Default user settings only apply to new users logging in.
Seems a freakishly dangerous way to do anything. Setting up Active directory wouldn't be so hard: http://www.petri.co.il/active_direct...quirements.htm
system mechanic has tools to lockdown individual user accounts
I think I have the version 6 with the licence code (not even used) about some place I will send it you if you like.
thanks for your answers.
ok. i am holding back from installing active directory.
i appreciate that i could do what i am asking with AD installed.
nevertheless, what you suggest is what i had in mind; a simple way to maybe achieve what i require. i shall set up a test scenario and see how it all looks.
i looked at the web site you included about installing AD, and shall read this very closely and come to a decision whether to take the plunge or not.
there are still issues which i cannot see how to achieve; one being how would i stop the users gaining access to the control panel? maybe this cannot be done without installing AD!!
thanks kindly for the offer of the software. although i would rather find a solution using just server 2003.
I appreciate the help you are all giveing me.
thanks again J
There are currently 1 users browsing this thread. (0 members and 1 guests)