Group Policy lock down

  • Thread starter Thread starter James
  • Start date Start date
J

James

I have mobile laptops that I need to apply a group policy to. They will
never be on a domain. I have checked the steady state utility and Doug
security console. Neither of them give me the results I'm looking for. I
have also found a MS KB article 293655 which applies to Windows 2000 Pro,
this article discribes what I want to do but, I can't get it to work on
Windows XP Pro SP2. Any ideas?
 
James said:
I have mobile laptops that I need to apply a group policy to. They will never
be on a domain. I have checked the steady state utility and Doug security
console. Neither of them give me the results I'm looking for. I have also
found a MS KB article 293655 which applies to Windows 2000 Pro, this article
discribes what I want to do but, I can't get it to work on Windows XP Pro SP2.
Any ideas?

I haven't tried that procedure in some time but while it's a bit cumbersome to
configure, it does work in XP.

Another approach you can take is to assign the Deny permission to the
Administrators group for the C:\Windows\System32\GroupPolicy folder.

Take a look at these articles for more info.

The Most Frequently Asked Question About Group Policy in a Workgroup Situation
http://www.theeldergeek.com/gp07.htm

Lockdown by group using Local Computer Policy without Active Directory
http://www.windowsnetworking.com/kb...ocalComputerPolicywithoutActiveDirectory.html

It also helps to put shortcuts to gpedit.msc and the C:\WINDOWS\System32 folder
on the desktop of the admin account. Also, take note of the tip in the second
article about disabling settings from being enabled immediately.

Good luck

Nepatsfan
 
Thanks. That looks like what I'm looking for. A follow up question... I
have had success installing apps and moving files with bat files. Is it
possible to "export" the Group Policy and 1) copy it to each laptop and 2)
"automatically" (via the bat file) set the security on the "Group Policy"
folder via a bat file? Thanks again for all of the help.
 
As I said in my initial response, it's been a while since I've had need to work
with this procedure. And when I did, it only involved two computers and a few
settings so there wasn't that great a need to know how to replicate the
configuration.

I went through my notes on the subject and couldn't find anything that addresses
the issue you raise. That said, I seem to recall hearing that you should be able
to copy the Local Group Policy settings from one computer to another.

I suspect that using a .bat file would somehow involve having to invoke the
gpupdate command to apply the GP settings and the cacls command to configure the
permissions on the folder. Since this is a guess, and probably not a very good
one, you might want to post your question to the microsoft.public.group_policy
newsgroup. Hopefully, someone there will have an answer for you.

Good luck

Nepatsfan
 
Back
Top