Group Policy Questions

[JK1150]

I have a Win2k3 server set up at work and have two questions:

1) If I want to set it so that a certain user group can visit only one website, how can I do that? I know it has something to do with zones, but I can find the right group policy setting...

2) How can I set it so that every user I create on my domain has a certain set of icons on their desktop without roaming profiles. I ask this because I have seen it done before.

Thanks

[Lexcyn]

I have a Win2k3 server set up at work and have two questions:

1) If I want to set it so that a certain user group can visit only one website, how can I do that? I know it has something to do with zones, but I can find the right group policy setting...

2) How can I set it so that every user I create on my domain has a certain set of icons on their desktop without roaming profiles. I ask this because I have seen it done before.

Thanks

I'm not sure about the first one (try content advisor?), but for 2 you can just place the icons in the Default Users desktop directory and any user that logs in after that will have the same icons created for them. That's assuming you don't have a lot of PC's ... if you do, use something like an SMS package to create these icons in the default user ...

[JK1150]

OK, since I have only 1 or 2 sites I want the computer to be able to access, I will just proxy everything else to an access denied webpage, and create exceptions for the allowed pages.

I have another question though. I want to make a start menu that just has shut down, log off, and internet explorer. I removed everything, but Printers & Faxes and My Computer are still there. I don't know if I missed it or not, but is there a group policy object to get rid of these?

[Eversurf]

Yeah you missed that group policy settings because they are in there. Look again. As far as blocking website the easiest way of doing this is to get a firewall or a piece of software that will manage the internet content.

Have fun!!!

[Aaron P]

1) If I want to set it so that a certain user group can visit only one website, how can I do that? I know it has something to do with zones, but I can find the right group policy setting...

This is the function of a firewall or proxy server - don't confuse Group Policy with security.

I would not recommend using Group Policy to achieve this, if the user can launch another browser such as Firefox (which you can do without installing it), then Group Policy is effectively useless.

[JK1150]

I disabled any other apps from running but IE and critical windows components, it's pretty locked down.

[miki12]

I need the same help too. I tried folder redirection but dont seem to work. However this is my situation..

I have 2 -3 groups of desktops, each suppose to use different set of settings. Like said i try to use folder redirection for each group but it still shows the default settings when user logins (eg. desktop icons not changed, my docs not changed, start menu not changed). each group of users are suppose to be seeing different desktops/start menu..

I'm not sure about the first one (try content advisor?), but for 2 you can just place the icons in the Default Users desktop directory and any user that logs in after that will have the same icons created for them. That's assuming you don't have a lot of PC's ... if you do, use something like an SMS package to create these icons in the default user ...

[fault]

I need the same help too. I tried folder redirection but dont seem to work. However this is my situation..

I have 2 -3 groups of desktops, each suppose to use different set of settings. Like said i try to use folder redirection for each group but it still shows the default settings when user logins (eg. desktop icons not changed, my docs not changed, start menu not changed). each group of users are suppose to be seeing different desktops/start menu..

Since it sounds like your policies are not applying, you should check what's going on by:

• Confirming that your GPO for folder redirection has been correctly configured for the different groups
  
• Once you've logged in as a user, run rsop.msc to determine what GPOs have been applied
  
• Check the event log for any problems
  
• Make sure you have no DNS problems :)
  
• ...
  

Fairly standard troubleshooting really. We use folder redirection (all 3 types: Start Menu, My Documents, Desktop) for different groups here at work: no problems at all when users log in and out after each other.

..., but for 2 you can just place the icons in the Default Users desktop directory and any user that logs in after that will have the same icons created for them. That's assuming you don't have a lot of PC's ... if you do, use something like an SMS package to create these icons in the default user ...

If you don't have the resources to support SMS like us, (e.g., cost, personnel to packaging applications, not to mention that its overkill for the above task) you can achieve this with a simple VB script or even batch file if you must. Just create some shortcuts that point to the applications you want, then do some simple code to copy the files into C:\Documents and Settings\All Users\Desktop if they don't exist. Solved.

By the way, the problem with placing them in the Default Users folder if that if they already have an existing profile, you can't enforce these shortcuts to be placed on the Desktop. Hence, placing them in the All Users > Desktop folder will sort that out.

Edited September 15, 2006 by fault

[miki12]

what is SMS? i have the my start menu working but not the desktop and my documents, which means there are still the default icons. i redirected each to the grp's server folder (start menu,desktop,my docs). Do u mean i have to copy the shortcuts into the folders and what are the codes i have to use?

next i have another problem that is... i have a stretch of desktops (9? of them). 8 out of 9 of the desktops inherited same policy settings but 1 did not.. what could have been the problem? Is there something as policy corrupted?

Since it sounds like your policies are not applying, you should check what's going on by:

• Confirming that your GPO for folder redirection has been correctly configured for the different groups
  
• Once you've logged in as a user, run rsop.msc to determine what GPOs have been applied
  
• Check the event log for any problems
  
• Make sure you have no DNS problems :)
  
• ...
  

Fairly standard troubleshooting really. We use folder redirection (all 3 types: Start Menu, My Documents, Desktop) for different groups here at work: no problems at all when users log in and out after each other.

If you don't have the resources to support SMS like us, (e.g., cost, personnel to packaging applications, not to mention that its overkill for the above task) you can achieve this with a simple VB script or even batch file if you must. Just create some shortcuts that point to the applications you want, then do some simple code to copy the files into C:\Documents and Settings\All Users\Desktop if they don't exist. Solved.

By the way, the problem with placing them in the Default Users folder if that if they already have an existing profile, you can't enforce these shortcuts to be placed on the Desktop. Hence, placing them in the All Users > Desktop folder will sort that out.

[garbagestrike]

2) How can I set it so that every user I create on my domain has a certain set of icons on their desktop without roaming profiles. I ask this because I have seen it done before.

Thanks

novell zenworks does this on the fly

you will need to use log in scripts and copy the shortcuts over, or use All Users folder to take care of things

[fault]

what is SMS?

Currently it's Microsoft System Mananagement Server: see all the product details at http://www.microsoft.com/smserver/default.mspx. Next year, with the expected release of the new server products, it'll be renamed System Center Configuration Manager 2007.

i have the my start menu working but not the desktop and my documents, which means there are still the default icons. i redirected each to the grp's server folder (start menu,desktop,my docs).

I think you may be confused? Any existing shortcuts\files placed in C:\Documents and Settings\All Users\Desktop will still display on the user's desktop (as well as their own set of Desktop shortcuts\files in their redirected path. This is by design. You'll have to manually delete these (ideally with a script).

As for the My Documents redirection, hmm, you should be able to right click on My Documents and choose properties to confirm the redirected path. If it hasn't been applied, a common problem is that insufficient and incorrect permissions have been applied to the user's redirected folder (in which case, this will show up in the event viewer which you should be checking for any other clues).

Do u mean i have to copy the shortcuts into the folders...

Yes, if you want a standard set of shortcuts on the user's desktops, one way to enforce it is to copy the shortcuts onto the local machine into the following path C:\Documents and Settings\All Users\Desktop as mentioned. Standard domain users cannot delete these files unless they have administrative privileges to their machine (which you should have a very good reason for if they do).

... and what are the codes i have to use?

That depends on which approach you take. You could do it with a batch file (.bat) or VB script (.vbs). The latter is more powerful and still quite easy to do for your task. This should get you started on how to make a simple script to copy a file: http://www.computerperformance.co.uk/ezine/ezine36.htm. Then you just need to add some If/Else logic to check whether the file exists, before copying it.

next i have another problem that is... i have a stretch of desktops (9? of them). 8 out of 9 of the desktops inherited same policy settings but 1 did not.. what could have been the problem? Is there something as policy corrupted?

Assuming they're all configured the same, dunno. Check the event log for any problems or force an update by typing "gpupdate /refresh" at the Command Prompt.

Edited September 17, 2006 by fault

[miki12]

I think you may be confused? Any existing shortcuts\files placed in C:\Documents and Settings\All Users\Desktop will still display on the user's desktop (as well as their own set of Desktop shortcuts\files in their redirected path. This is by design. You'll have to manually delete these (ideally with a script).

As for the My Documents redirection, hmm, you should be able to right click on My Documents and choose properties to confirm the redirected path. If it hasn't been applied, a common problem is that insufficient and incorrect permissions have been applied to the user's redirected folder (in which case, this will show up in the event viewer which you should be checking for any other clues).

Using the user's login, I have tried creating a new word document on the desktop. However it is not reflected in the user's server folder. Could i have missed some settings or it is supposed to be stored locally? The fact that i have redirected the desktop to a folder in my server D:\.....\users\john\desktop

Yes, if you want a standard set of shortcuts on the user's desktops, one way to enforce it is to copy the shortcuts onto the local machine into the following path C:\Documents and Settings\All Users\Desktop as mentioned. Standard domain users cannot delete these files unless they have administrative privileges to their machine (which you should have a very good reason for if they do).

that means any users (be it same policy group or another) can login and they would only be seeing the items in the path right?

That depends on which approach you take. You could do it with a batch file (.bat) or VB script (.vbs). The latter is more powerful and still quite easy to do for your task. This should get you started on how to make a simple script to copy a file: http://www.computerperformance.co.uk/ezine/ezine36.htm. Then you just need to add some If/Else logic to check whether the file exists, before copying it.

i am using a .bat file for logon which i have no idea what it does.

Assuming they're all configured the same, dunno. Check the event log for any problems or force an update by typing "gpupdate /refresh" at the Command Prompt.

where can i check the event log?

[Caledai]

Answer to #1. Probably the easiest via Group Policy.

Setup 2 proxy.pac files on a local http server in the root directory

One will use the correct proxy for general access to the internet - I suggest you call this wpad.dat, create a permanent redirect to proxy.pac - see the optional bit below.

The other will have an exception for the one URL you wish to access and either point directly to it - or to the correct proxy - or to a null proxy - I have use 127.0.0.1 as a proxy to prevent certain sites being accessed before. call this one restricted.pac

Now in GP, go to the internet config page - and setup the GP relating to Internet Settings on a user basis for that OU. Point the Auto Config URL to http://wpad/restricted.pac

For the rest point them to http://wpad/proxy.pac

Optional but Advantageous.

All you need to use then is a cname WPAD to your web host and Internet Explorer will find this with the settings set to Automatically Detect Settings (Handy for laptops that go home and have broadband)

I use this for laptops that are on a workgroup and where the owner has broadband at home. If they have dialup or no internet I point there autoconfig to http://wpad/proxy.pac

This could also be achieved via a ISA server - but it is far more complex and would involve checking the OU of the user - why do that when you have a procedure in place for sending settings to client machines already based on the OU.

Using the above steps - you effectively kill 4 birds with one stone.

You prevent "Automatically Detect Settings" from bypassing your network.

You prevent the restricted OU from accessing any site bar the ones you permit.

You allow other OU's to access the internet via the correct proxy.

Both the restricted and proxy.pac's are stored centrally and can be updated once - without needing to update any workstations. You can add another URL to the restricted and allow two domains, or you can choose different proxies based on the OU. [We filter students more through a squid proxy that has more controls in place]

[fault]

Using the user's login, I have tried creating a new word document on the desktop. However it is not reflected in the user's server folder. Could i have missed some settings or it is supposed to be stored locally? The fact that i have redirected the desktop to a folder in my server D:\.....\users\john\desktop

Ok, so you've established that the redirection isn't working. Now to figure out why, try these common troubleshooting steps:

• Check the Event Log: Right click My Computer > Properties > Manage > Event Viewer
  
• Run RSOP to determine/confirm which policies are actually being applied: Start > Run > rsop.msc
  
• Did you check the permissions on the redirected path?
  
• ...
  

that means any users (be it same policy group or another) can login and they would only be seeing the items in the path right?

Yes, shortcuts placed on the Desktop in the All Users profile will be visible for any user logging onto that local machine. The exception is if you apply some crazy permissions to these shortcuts so that some users/groups won't be able to read them or if you disable "show common files/entries" (or something like that; it's one of the group policies). The latter is quite useful in circumstances where you don't want any items showing up from the All Users profile.

i am using a .bat file for logon which i have no idea what it does.

It's just a file that executes some commands at user log on time. There is a tonne of information on Google about batch files :) But this should get you started and you can modify it as you wish...

IF NOT EXIST "C:\Documents and Settings\All Users\Desktop\MyShortcut.lnk" COPY "\\SERVER\Public\MyShortcut.lnk" "C:\Documents and Settings\All Users\Desktop\MyShortcut.lnk"

Read up on it, try out some examples, and test test test...

where can i check the event log?

As mentioned above, Right click My Computer > Properties > Manage > Event Viewer.

Edited September 18, 2006 by fault

[miki12]

Ok, so you've established that the redirection isn't working. Now to figure out why, try these common troubleshooting steps:

• Check the Event Log: Right click My Computer > Properties > Manage > Event Viewer
  
• Run RSOP to determine/confirm which policies are actually being applied: Start > Run > rsop.msc
  
• Did you check the permissions on the redirected path?
  
• ...
  

i have the following error message when i try to open the rsop.msc

RSOP data is invalid because data corrupted, data deleted or data never created.

this are the errors i have when i check the event viewer.

Application: Attempt to determine whether user and machine accounts are in the same forest failed ( the interface is unknown) source : userenv

System: Kerberos subsystem encounter a PAC verification failure. This indicates that the PAC from the client DDE07$ in realm SCHOOL had a PAC which failed to verify or ws modified. source: kerberos

all other stations are working fine except 2 with these error messages. what could have been the problem?

[fault]

i have the following error message when i try to open the rsop.msc

RSOP data is invalid because data corrupted, data deleted or data never created.

this are the errors i have when i check the event viewer.

Application: Attempt to determine whether user and machine accounts are in the same forest failed ( the interface is unknown) source : userenv

System: Kerberos subsystem encounter a PAC verification failure. This indicates that the PAC from the client DDE07$ in realm SCHOOL had a PAC which failed to verify or ws modified. source: kerberos

all other stations are working fine except 2 with these error messages. what could have been the problem?

Look up the error message event IDs in the Microsoft KB or another good resource is http://www.eventid.net where other users have given their solutions.

Failing that, if these are the only machines experiencing the problem and they're configured exactly the same as the others, most (large) organisations wouldn't bother with the problem and just reimage (unless you really do have the resources to sit down and figure it all out).

[miki12]

Look up the error message event IDs in the Microsoft KB or another good resource is http://www.eventid.net where other users have given their solutions.

Failing that, if these are the only machines experiencing the problem and they're configured exactly the same as the others, most (large) organisations wouldn't bother with the problem and just reimage (unless you really do have the resources to sit down and figure it all out).

Thank you very much fault..u been a great gelp. The link provided helped solve my problem. (Y) cheers

for the benefits for those that have the same problem, i like to paste the solution to my problem here..

Dietmar Foltz (Last update 1/11/2005):

In my case the Workstation service was disabled, the Computer Browser and NetLogon service were not started. After enabling and starting these services the problem was solved.

Source: http://www.eventid.net/display.asp?eventid...ros&phase=1