Server-based group policy without active directory?

  • Thread starter Thread starter gruvn
  • Start date Start date
G

gruvn

Aloha folks,

:?:I hope this is the right place to post - I’m mostly interested in
group policy as it relates to Server 2003, but this is the only group
policy forum I saw...

Anyways, I’m in a bit of a pickle. I’m trying to figure out how to
enable roaming user profiles for our office where anyone can sit down
at any computer, log in, and receive access to the specific
information/network folders that they have been granted access to.
The policy information itself should be stored on our server (win
server 2003). Workstations are a mix of Windows XP professional and
Windows 2000.

The catch is that we do not have active directory, and I’m not to
install it.

Our campus IT guy claims this can be done, but almost everything I’ve
seen suggests otherwise. I had almost given up hope when I found that
you can do exactly this for Win NT...

Maybe some of you have seens this, but by adding a "NetworkPath" key
with the path to your ntconfig.pol file within
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update,
and changing UpdateMode from "1" to "2", you can force a
workstation to look to the provided path for user settings.

If this can be done for NT, I figure that something similar could
probably be done for 2000. I’d like to take advantage of the more
robust group policies of windows 2000+ rather then dusing NT... also,
the method above seems to require that every single user must have a
user profile on every single machine, which is not ideal...

I have administrative access to all workstations as well as the server
and have no problem sitting down at each workstation to edit the
registry similar to what I described above, but I would rather not
have to manage a set of policies for each individual workstation - one
for the whole network would be ideal.

In one sentence: How can I set up a policy on our win 2003 server
(that takes advantage of groups) to deploy different content to any
network workstation in the office depending on who is logged in
without active directory?

Thanks for reading!
 
gruvn said:
Aloha folks,

:?:I hope this is the right place to post - I’m mostly interested in
group policy as it relates to Server 2003, but this is the only group
policy forum I saw...

Anyways, I’m in a bit of a pickle. I’m trying to figure out how to
enable roaming user profiles for our office where anyone can sit down
at any computer, log in, and receive access to the specific
information/network folders that they have been granted access to.
The policy information itself should be stored on our server (win
server 2003). Workstations are a mix of Windows XP professional and
Windows 2000.

The catch is that we do not have active directory, and I’m not to
install it.

Our campus IT guy claims this can be done, but almost everything I’ve
seen suggests otherwise. I had almost given up hope when I found that
you can do exactly this for Win NT...

Maybe some of you have seens this, but by adding a "NetworkPath" key
with the path to your ntconfig.pol file within
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update,
and changing UpdateMode from "1" to "2", you can force a
workstation to look to the provided path for user settings.

If this can be done for NT, I figure that something similar could
probably be done for 2000. I’d like to take advantage of the more
robust group policies of windows 2000+ rather then dusing NT... also,
the method above seems to require that every single user must have a
user profile on every single machine, which is not ideal...

I have administrative access to all workstations as well as the server
and have no problem sitting down at each workstation to edit the
registry similar to what I described above, but I would rather not
have to manage a set of policies for each individual workstation - one
for the whole network would be ideal.

In one sentence: How can I set up a policy on our win 2003 server
(that takes advantage of groups) to deploy different content to any
network workstation in the office depending on who is logged in
without active directory?

Thanks for reading!

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Server-based-active-directory-ftopict543780.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1715581
Click to expand...

Firstly, what is the point of having a network with a server if active
directories are not installed. You just have a glorified peer-to-peer
network. The thing is with active directories you can write a logon script,
..bat file with an entry like - net use h: \\server\%username%$ - to map
network drives to the user wherever he logs on. (use the $ share to hide it
from other users)
You could put the above in every pc's startup and get the same results.
Hope this is helpfull.
Regards
 
Johan Bodenstein said:
Firstly, what is the point of having a network with a server
if active
directories are not installed. You just have a glorified
peer-to-peer
network. The thing is with active directories you can write a
logon script,
..bat file with an entry like - net use h:
\server%username%$ - to map
network drives to the user wherever he logs on. (use the $
share to hide it
from other users)
You could put the above in every pc's startup and get the same
results.
Hope this is helpfull.
Regards
Click to expand...

Hey Johan,

Our office is part of a much larger organization, and apparently the
main organization is going to implement AD in the future. We were
told that if we implement AD ourselves, we will likely have to
"reinstall everything" if and when we are added to the main
organization’s AD. I admit that it sounds fishy, but I don’t know
much in this area, but I do know that I have several large
applications that I have no desire to reinstall....

If you understand things differently, please enlighten me (or send me
some links that I might enlighten myself).

Regarding your mention of the bat files for individual computers...
Are you saying I CAN do that now, without AD? Can I only use it to
map drives, or could I also control access any aspects of group
policy?

I really appreciate your help - again - I’m not against AD, I’ve just
been told not to use it.


Thanks!
 
Hi,
The catch is that we do not have active directory, and I’m not
to install it.
Click to expand...

Why not? Seems pretty silly to pay all that money for Windows 2003
server and use it like a workstation. Peer to Peer networks went out
with the dark ages.

As users get local profiles if there is not a domain, your only hope
would be to redirect the My Documents on the Local Users profiles to
point to the server.

Cheers,

Lara
 
lforbes said:
Hi,

[quote:0f0e6a0f62]The catch is that we do not have active
directory, and I'm not to install it. [/quote:0f0e6a0f62]

Why not? Seems pretty silly to pay all that money for Windows
2003 server and use it like a workstation. Peer to Peer
networks went out with the dark ages.

As users get local profiles if there is not a domain, your
only hope would be to redirect the My Documents on the Local
Users profiles to point to the server.

Cheers,

Lara
Click to expand...

Agreed - I’m starting to realize how silly it is.

I think I’ll start pressing for installing AD, but first I’m going to
have to investigate how hard it *really* is to joing one AD system
with another. I really doubt that we’ll have to "reinstall
everything".

Thanks everyone -- I’m off to the FAQs!

Mike
 
gruvn said:
Agreed - I'm starting to realize how silly it is.

I think I'll start pressing for installing AD, but first I'm
going to have to investigate how hard it *really* is to joing
one AD system with another. I really doubt that we'll have to
"reinstall everything".

Thanks everyone -- I'm off to the FAQs!

Mike
Click to expand...

Hi Mike,

I understand now what your issue is. Let me explain why I think they
are holding you off. The "issue" with AD is that the "1st
installed Domain becomes the Forest "King". Therefore the very first
Domain installed is considered the "forest" and you can only
"join" an existing forest with other Domains.

Therefore if you installed AD then the Head Office installed AD, they
would be two "separate" forests that couldn’t really "Join".

However, there is now this amazing tool called the Active Directory
Migration Tool that migrates computers, users etc. from One
Domain/Forest to another.

You wouldn’t have to uninstall any of your Apps or Windows 2003. The
WORST case scenario is you would just have to "uninstall" active
Directory. The regular situation would be just that you would migrate
All your Users and computers from your AD Forest to the Head Office
Forest when the time came and then just unistall Active Directory like
you installed it.

However, IF you are running at a separate location etc. they may
decide it is even in the best interested to leave you your own Domain.
Authenticating over long distance/the interent can be an issue.

Please please read up on DNS and AD before you start though. You need
a working DNS name, preferably with a .local extension (for simplicity
and to not confuse with the external Internet names).

Cheers and good Luck

Lara
 
lforbes said:
Hi Mike,

I understand now what your issue is. Let me explain why I
think they are holding you off. The "issue" with AD is that
the "1st installed Domain becomes the Forest "King". Therefore
the very first Domain installed is considered the "forest" and
you can only "join" an existing forest with other Domains.

Therefore if you installed AD then the Head Office installed
AD, they would be two "separate" forests that couldn't really
"Join".

However, there is now this amazing tool called the Active
Directory Migration Tool that migrates computers, users etc.
from One Domain/Forest to another.

You wouldn't have to uninstall any of your Apps or Windows
2003. The WORST case scenario is you would just have to
"uninstall" active Directory. The regular situation would be
just that you would migrate All your Users and computers from
your AD Forest to the Head Office Forest when the time came
and then just unistall Active Directory like you installed it.

However, IF you are running at a separate location etc. they
may decide it is even in the best interested to leave you your
own Domain. Authenticating over long distance/the interent can
be an issue.

Please please read up on DNS and AD before you start though.
You need a working DNS name, preferably with a .local
extension (for simplicity and to not confuse with the external
Internet names).

Cheers and good Luck

Lara
Click to expand...

Hey Lara,

Thanks for taking the time. I’m grateful for your explanation - I was
beginning to think I was crazy!

Thanks for the guidance - I will do some more reading.

mike
 
Back
Top