Security Template Problems

  • Thread starter Thread starter Ben Blackmore
  • Start date Start date
B

Ben Blackmore

Hi,

I imported the securews.inf security template into a test group policy,
after testing I've found a few settings that I think I need to change, but
not sure which they are.

1. We set which wallpapers users get on their desktops, these are located on
our public drive (p:\wallpapers) all users have full control over this
drive. After applying the security template, some users wouldn't get the
wallpaper, just a blank desktop.

2. We map 3 drives on the users PC via a log on script, P: (public) H:
(home) and T: (templates), if the users go to my computer they can access
the drives, however if you enter the drive in the address bar (p:\ or h:\
etc) it says

"Access to resource P:\ has been disallowed"

This even happens on the C:\ & D:\ drives. I've been searching the microsoft
support pages and I found this, which
looks like the problem I'm getting

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q250915

It says to install the latest service pack for IE 5.01, however the machies
this is happening on are running ie6 with all service packs installed. Is
there any other work around for this?

Also is there anyway to set a users desktop appearance? Some have changed
their font type, and toolbar colours!

Cheers

Ben
 
Instead of pointing Users to P: drive for their wallpaper you should use a
UNC like \\server\share\wallpaper.jpg

If the P: drive is slow to map they will not get wallpaper.

"Access to resource P:\ has been disallowed" could be due to the system.adm
file having been overwritten within the policy by an older version. From a
Windows XP SP1 machine open mmc > File > Add/Remove Snap-in > Add > Group
Policy Object Editor > Add > Browse... > Expand the OU containing the policy
you want to edit > select the policy and click Finish > Close > OK.

Right-click Administrative Templates and select Add/Remove Templates > Add >
select System.adm from the XP machine's local INF folder. Say Yes to
replace the existing file.

Edit the policy from the XP machine.

First, set "Remove Run menu from Start Menu" to Not Configured and apply the
policy. After logoff and back on verify you can access the drives. Edit
the policy again from a Windows XP machine and set "Remove Run menu from
Start Menu" back to Enabled. Reapply the policy again and verify the drives
are still accessible and that Run is removed from the Start Menu.

Group Policy does not provide a method to force appearance. It enables you
to lock down access to Control Panel and other areas so that these changes
cannot be made by users.

To change settings back to a default you may need to look at scripting the
changes you want applied to all users who were allowed to change the default
settings.
 
Hi,

Thanks for the reply.

I've set the new UNC path for the wallpaper, so I'll see if that sorts it
out.

As for the rest, is it possible to do it without XP? Maybe download an
update for 2000 or something? Its just we don't run XP here, the company
standard is 2000. If not I'll look into buying a version, or maybe getting a
trial version I can do it from.

Cheers

Ben
 
Not a problem. I shouldn't have assumed your workstations were on XP.

If you have SP4 installed on your DCs you can open the Group Policy and
select Add/Remove Templates > click Add and select System.adm. If the
System.adm is newer than the current one go ahead and Replace. See if this
helps the "access to resource..." error. Once the adm file is replaced try
setting "Remove Run menu from Start Menu" to "Not Configured", click Apply
and then set it right back to Enabled and click Apply.

After the policy change replicates to all DCs make sure to log the user off
and back on and verify you can access mapped drives.
--
David Everett
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top