Win2K Pro user-specific standalone workstation policies: not doable?

0 views
Skip to first unread message

John Faughnan

unread,
Jan 2, 2002, 10:58:56 AM1/2/02
to
I've been looking for information on setting up user-specific policies
on a standalone Windows 2000 professional workstation. I've done
similar things on a Windows 98 workstation (see
http://www.faughnan.com/policies.html), but since that workstation is
also the family file server I'd like to move it to Windows 2000.

Web and usenet searches on this topic have returned extensive
references on Active Directory, Windows NT domain based policy
controls, intellimirror technology, and group policy editor ... but
NOTHING that allows one to create user-specific policies on a
standalone workstation.

The closest usenet thread is one I'm replying to in this message [1],
that thread contained some nice references to Microsoft group policy
documents, but nothing for a standalone workstation.

I do know that one can type mmc at the command line, launch
Microsoft's Management Console, and add a snap-in from group policy
editor that allows one to create a user policy on the local machine.
HOWEVER, that user policy seems to apply to ALL users, I cannot see
how to create a policy for a specific user or group of users. [2] The
only suspicion I have left to explore is that one can somehow use a
login script to create user-specific policy restrictions.

I am beginning to suspect that Windows 2000 was simply not designed to
support user-specific policies on a single workstation that is part of
a workgroup rather than a domain. I am also beginning to suspect that
the right way to do this is to cough up the money (and take the large
performance hit) for Windows XP Professional (since I want the machine
to be my home file server as well a workstation).

Does anyone have any thoughts or suggestions? I'll add the comments to
[2]. My current thinking is that I should stay with Win98 and accept
the instability or move to XP Professional and accept the performance
hit (put 500+MB in that machine).

Thanks!

john faughnan
jfau...@spamcop.net
www.faughnan.com

[meta: jfaughnan, jgfaughnan, english, microsoft, win2K, windows 2000,
policy editor, poledit, workstation, standalone, stand-alone, access
control, security, privileges, users, multi-user, multiuser]

[1] http://groups.google.com/groups?hl=en&lr=lang_en&threadm=811e01c16887%24eb7d84f0%24b1e62ecf%40tkmsftngxa04&rnum=1
[2] Ironically Windows 95 and Windows 98 are, in this sense, much
better multi-user operating systems than Windows 2000! See
http://www.faughnan.com/policies.html.

Andreas Kjellman [MSFT]

unread,
Jan 2, 2002, 3:24:20 PM1/2/02
to
There is no such thing as user-based GPO on a local machine, that's why you
can't find any information on the topic. If you need to use GPOs per user
you must have a domain to support it. The GPOs on a local machine are, as
you have discovered, on a machine basis only and applies to all users.

That is true for WinXP Pro as well. You must have a domain for user-based
GPOs to work. The best thing you can do is to just give your family members
user/guest access and not admin privs.

If you MUST have it for XP/W2k, you'll have to use a workaround (like the
logon-scripts), but it is not a straight-forward built-in solution.

/Andreas

--
This posting is provided "AS IS" with no warranties, and confers no rights.
To correspond with me directly, remove the 'online' from my alias.


"John Faughnan" <jfau...@spamcop.net> wrote in message
news:5c0dbfb4.02010...@posting.google.com...

John Faughnan

unread,
Jan 5, 2002, 6:14:01 PM1/5/02
to
"Andreas Kjellman [MSFT]" <andkjel...@microsoft.com> wrote in message news:<uD6D1t8kBHA.224@tkmsftngp07>...

> There is no such thing as user-based GPO on a local machine, that's why you
> can't find any information on the topic. If you need to use GPOs per user
> you must have a domain to support it. The GPOs on a local machine are, as
> you have discovered, on a machine basis only and applies to all users.
> That is true for WinXP Pro as well. You must have a domain for user-based
> GPOs to work. The best thing you can do is to just give your family members
> user/guest access and not admin privs.

Wow. I'd suspected that it wasn't supported in Win2K without a domain,
but I assumed that user-specific policies would be essential in a
multi-user OS. It does seem that in some ways Windows 95 was a
"better" multi-user OS than XP! (Of course changes made to active
desktop and IE partly broke the policy protection that was part of
95.)

Andreas, am I missing something important? Why did Microsoft decide
not to provide user policies for home users of XP? Do you know if OS X
provides this?

What do you think?

Thanks!

john

Andreas Kjellman [MS]

unread,
Jan 6, 2002, 4:38:05 PM1/6/02
to
In Windows XP Home edition there is no support for domains/GPOs at all, you
must use Windows XP Pro to get that. (Just so you didn't run off and bought
the wrong version).

I can't say I really know why there isn't support for local GPOs appling to
local user accounts. My humble guess is that GPOs are designed for business
use, and they use a domain and not local user accounts. It just was to
difficult to implement.

There is one thing you can do if it is that you want yourself to have full
control and the other family members to only get limited access. The GPOs
are actually stored in %systemroot%\system32\GroupPolicy. So if you setup
the limitations you want for your family and then change the access right on
this folder and remove yourself (that is remove administrators) from that
folder, the settings will not be applied to your account. If you have access
right to this folder, you will get the settings; if you can't read it the
settings will not be applied. Make sure you remove the administrators group
and not deny them access. If you later need to change it you must take
ownership of the folder as admin, and that will be difficult if you are
denied access.

I'm sorry, but I can't discuss future operatingsystems in a public area.

/Andreas


--
This posting is provided "AS IS" with no warranties, and confers no rights.
To correspond with me directly, remove the 'online' from my alias.


"John Faughnan" <jfau...@spamcop.net> wrote in message
news:5c0dbfb4.02010...@posting.google.com...

Reply all
Reply to author
Forward
0 new messages