Group Policy: Applying a 'master' set of policies in a non-AD environment

In this series, expert Jeremy Moskowitz helps readers with such issues as using Group Policy to force all PC homepages to a specific Web site and using a registry key to monitor security template changes.

The following is a collection of expert responses to reader questions by Jeremy Moskowitz.

Jeremy Moskowitz

When using Group Policy for Windows Server 2003, is there a way to force a user's desktop to follow them from PC to PC as they log on? I have searched and don't seem to be able to find this. I would appreciate any advice you could give.

Jeremy Moskowitz: The answer you seek is called "Roaming Profiles." Microsoft has some basic documentation on Roaming Profiles here, but I've documented the heck out of how they actually work, live and breathe in my Group Policy book at GPanswers.com. Only caveat -- don't use Windows XP or Windows 2000 roaming profiles and expect to be able to roam alongside with Windows NT and Windows 95 clients. That doesn't work so well.

If I take a Windows 2000 or XP standalone workstation and make a range of changes using gpedit.msc, how can I then export those changes so that they can subsequently be applied to other standalone workstations? I am talking here in the context of applying a 'master' set of policies to a number of computers so that they are the same in an non-AD environment.

JM: While there is a way to do this, I'm hesitant to describe how to do it. It's 100% unsupported from Microsoft, so to give you "unsupported" advice means we're entering a slippery slope together. However, one way of addressing a part of the problem is by security templates. Security templates are a "portable security knowledge" which you can create on one workstation then, if you want, walk around to the rest of your workstations and also apply. There is a good Microsoft article here about the "built in" security templates and also how to create your own and apply them as you see fit.

Is there a way using Group Policy to force all PC homepages to be set to a specific Web site? I have searched with no luck. Any advice would be greatly appreciated.

JM: If you're talking about the Internet Explorer home page, then, sure! That's User Configuration | Windows Settings | Internet Explorer Maintenance | URLs | Home Page URL. While you're there, check out Administrative Templates | Windows Components | Internet Explorer | Disable changing home page settings to ensure that users cannot change it once you've set it.

I am rolling out a security template through Group Policy for 4,000 desktops. I would like to add a registry key into each desktop to indicate the version of security template which I have rolled out. In case any other admins replace the security template, and I would know by using this unique registry key. Also by using this registry key, I would also know the number of desktops deployed with the desired security template.

JM: Sure, it's possible to plunk in your own registry key using security templates, but I don't think your ultimate goal is going to be achieved. To me, it sounds like prevention is the most important thing you'll want to perform here. That is, the prevention of other admins stomping over the security template you lay down on those 4,000 desktops. In short, admins are admins, and registry key or not, there's nothing you can do really to stop a fellow admin if he's set on changing it.

I would like to use Group Policy to enforce and append security groups to the local administrators group. Using logon/logoff scripts through GPO is only effective if the user has local administrative access. This solution does not work for our situation. Using GPO settings to add groups to the local administrative group is a re-write of the local group and I need this to append and not over-right.

JM: What you're describing is called Restricted Groups, and, you got it -- it's seemingly not possible to make Restricted Groups' most useful feature be "additive" (or, more accurately, "augmentative.") That is, most people want to use it to add _additional_ members to an existing group. But that's not how the "Members of this group" function works. Rather, it "rip and replaces" existing members. So, it's not ideal in every situation.

Jeremy Moskowitz, a Microsoft Most Valuable Professional (MVP) and Microsoft Certified Systems Engineer (MCSE), is an independent consultant and trainer for Microsoft Windows technologies. He runs two community forums, www.GPanswers.com and www.WinLinAnswers.com, that answer tough questions about Group Policy and Windows/Linux integration. Jeremy's latest book, Windows and Linux Integration: Hands-on Solutions for a Mixed Environment (Sybex, 2005), is available at WinLinAnswers.com. His popular book, Group Policy, Profiles, and IntelliMirror (Sybex, 2005) is available at www.GPanswers.com.

This was first published in April 2006

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close