none
Local computer policy for domain computer RRS feed

  • Question

  • I must re-format 15 identical lab computers with Windows XP Pro SP3. All of the computers require identical
    settings & restrictions.  The computers are part of a domain, but I do not have control of domain policies. I am
    working directly on the computers, not remotely. Users log-in to the computers with individual domain-authorized log-ins & passwords. I can’t create user accounts for the domain. I have created a custom console with MMC (GPOE>Local Computer Policy>Computer & User Configurations) & customized IE 8, but I think the “User Configuration” options apply only to a specific user login—not all users. I have added Windows SteadyState & the adm template that comes with it to see if I can get features applied to everyone who logs on, but it doesn’t appear to be working.  Can you help me tweak the admin templates, or locate settings that will do the following for all users (If I can exempt myself that would be great, but I can logon to the computer as the local the Administrator, if necessary.):
    Users log-in to the domain computer with CTRL + ALT + DEL
    Apply custom wallpaper to all users
    Automatically open IE 8 to specific URL with shortcuts to specific URLs for all users (Internet access is limited to these sites; Override password may be entered by librarian to access other websites; Access to social networking sites is disabled.)
    Users may save webpages, documents, etc. to a USB device or CD-ROM.
    Users may print to a networked printer already configured & installed.
    Log-off user after 15 minutes of inactivity & re-start the computer.
    Prevent and/or do not save any changes to the computer configuration, settings when shutdown.
    Prevent and/or do not save documents to the hard drive when shutdown.
    Configure automatic updates of Windows, Microsoft Office, & McAfee

    Currently, the computers have Centurion Cornerstone, but it prevents automatic Microsoft updates—though it allows McAfee to update.  Don’t know how to write script that would allow Microsoft updates.  Perhaps this is easier to do with Windows SteadyState? 
    Thursday, January 21, 2010 7:29 PM

Answers

  • Hi taurus2u, to apply group policy, please pay attention to the following points:

    Sctsetting.adm is a group policy template. When you link it to the OU, related registry keys which hold the restrictions will be copied to the clients automatically.

    Please also understand that as the settings included in SCTSettings.adm are user configuration settings, the restrictions will be applied to the users in the OU. The result is wherever user logs on, the restrictions will be applied. If you would like to enable these restrictions only when user logs to the specific computers. We can add  these computers to an OU and then use the loopback feature of group policy to deploy the user configurations to the computers in the OU.

    The configuration can be found under:

    [Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode]

    Here is a related article:

    231287 Loopback Processing of Group Policy
    http://support.microsoft.com/?id=231287

    As the group policy will apply to all the users who log to the computers in the OU, the following article will be helpful if you would like to bypass administrator accounts.

    How To Keep Domain Group Policies from Applying to Administrator
    http://support.microsoft.com/?id=315675

    You can also check the following articles:

    Using Software Restriction Policies to Protect Against Unauthorized Software
    http://technet.microsoft.com/en-us/library/bb457006.aspx

    Core Group Policy Tools and Settings
    http://technet.microsoft.com/en-us/library/cc784165(WS.10).aspx

    Hope this helps!


    Sean Zhu - MSFT
    Friday, January 22, 2010 5:44 AM
    Moderator

All replies

  • Hi taurus2u, to apply group policy, please pay attention to the following points:

    Sctsetting.adm is a group policy template. When you link it to the OU, related registry keys which hold the restrictions will be copied to the clients automatically.

    Please also understand that as the settings included in SCTSettings.adm are user configuration settings, the restrictions will be applied to the users in the OU. The result is wherever user logs on, the restrictions will be applied. If you would like to enable these restrictions only when user logs to the specific computers. We can add  these computers to an OU and then use the loopback feature of group policy to deploy the user configurations to the computers in the OU.

    The configuration can be found under:

    [Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode]

    Here is a related article:

    231287 Loopback Processing of Group Policy
    http://support.microsoft.com/?id=231287

    As the group policy will apply to all the users who log to the computers in the OU, the following article will be helpful if you would like to bypass administrator accounts.

    How To Keep Domain Group Policies from Applying to Administrator
    http://support.microsoft.com/?id=315675

    You can also check the following articles:

    Using Software Restriction Policies to Protect Against Unauthorized Software
    http://technet.microsoft.com/en-us/library/bb457006.aspx

    Core Group Policy Tools and Settings
    http://technet.microsoft.com/en-us/library/cc784165(WS.10).aspx

    Hope this helps!


    Sean Zhu - MSFT
    Friday, January 22, 2010 5:44 AM
    Moderator
  • Thank you Sean for your very informative response.  I am going to study the documents & settings that you mention and see if I can accomplish most of what I envision.  Creating an OU of the lab computers seems like the best place to start.  Just one question before I get too excited, can I create an OU from one of the lab computers, remotely from another PC, or must it be done at the server level?

    taurus2u
    Monday, February 8, 2010 4:10 PM