The following is a collection of expert responses to reader questions by Jeremy Moskowitz.
I am administering a Windows 2000 Server domain controller. I have installed Active Directory and login drives as Z: drive for the daily work on that domain controller. However, users who want to access the Internet have to set the proxy again and again if they sit on another system. Is there a way that I can apply proxy settings automatically on all the workstations?
Jeremy Moskowitz: Very simply, in fact. The easiest way to do this is to configure a workstation to have the correct settings for the proxy server and other details such as any sites which should bypass the proxy. Then use this machine to edit the policy settings under User Configuration Windows Settings Internet Explorer Maintenance. You can directly import the "Connection Settings" from the machine you are on if you need to, then check and edit them before clicking OK to set them in the policy.
Alternatively you can just configure the "Proxy Settings" to set the proxy server address and exceptions list (to exclude sites such as your intranet from having to go through the proxy unnecessarily). You would also want to look at the various security settings under User configuration Administrative Templates Windows Components Internet Explorer to lock down the IE interface to prevent users from changing the settings themselves.
Our office wants to use Group Policy to set file permissions on our server's shared folders. Is there a way to have different file permissions given to different OU's, such that if a new employee was hired we could drop them into an OU and be assured that his read/write file permissions to the server shared files are correctly configured?
JM: Not really, since an OU cannot be added to the DACL in any way. The best way to set these permissions would be by giving a domain local group (e.g.. ModifySalesData group) the relevant access rights to the files or folders, then adding groups containing users (e.g. SalesManagers) to these 'access' groups. When you get a new starter you would add them to a relevant group or groups to give them the access you require.
How can I restrict rights for a group of users on a specific OU of computers, but not on any computers outside of that OU?
In other words, I don't want this set of users to see the floppy drive, be able to right click, open calculator, etc., when they are using any of the machines within the OU, BUT have full access rights when they are using machines outside of the OU. All the machines and users are in the same domain. Essentially, is it possible to have a GPO (that restricts user rights extensively) apply to a group/OU of users only when they login to a specific group/OU of machines?
JM:This sounds like a classic case for using loopback policy processing. As you know, the users are getting the policies which apply to their user accounts based on where they are in Active Directory, and likewise for machines. Loopback means that you can get a machine to process policies which have user settings and apply these to users which log on to them, even though that user policy may not be linked to where the real user account is. This is perfect for things like internet kiosk machines or terminal servers which typically need very specific settings that you don't want to apply to your users normally.
So how do you set it up?
Create and link a policy to the OU where the machines are and edit it. Under Administrative TemplatesSystemGroup Policy, you want to configure the setting for "User Group Policy loopback processing mode." You need to choose a mode -- "replace" will ignore all the user's own settings and only use those settings which are in scope for the machine (so linked to your special OU), whereas "merge" will use both, and the machine's looped-back user settings will take precedence in the case of any conflict.
So here we are setting a group policy to tell Group Policy how to function! You can set the user settings you want in this same policy to keep it all together, or link specific user policies to the OU in the normal way.
How I can modify the Registry Key in Windows XP using Group Policy management? I have Windows Server 2003 and 20 XP SP2 users. I created an OU named "Test" and I linked it with a Group Policy, then edited the policy. I want to change HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\winlogon and change the value of DefaultUserName. How I can do it?
JM:Since this is not a policy setting, but a regular registry key, you would need to create a custom ADM file which will then allow you to change this key. Be warned, however, that this will only allow you to set this as a "preference" rather than a true policy. We have a lot of information about this phenomenon at GPanswers.com. Just note the setting can be overwritten by other processes, such as in the case you mention where this key is in fact written over at logon to hold the name of the last user who logged in.
If you are trying, specifically, to get the machine to log on automatically with a particular user account you would be better off using a third-party tool such as TweakUI.
If you are simply trying to hide the name of the last user who logged in you can use the policy setting at:
Computer ConfigurationWindows SettingsLocal PoliciesSecurity Options Interactive logon: Do not display last user name
Is there a way to append Domain Groups to the local "Administrators" Group of Domain Computers using a GPO, WITHOUT affecting the existing members of the aforementioned group?
I know that one can use "Restricted Groups" for that purpose, but, this will also mean that any members inside the local "Administrators" Group will be deleted and I don't want that to happen.
JM:There's no direct way to do this with Group Policy, as you rightly say the "Restricted Groups" is a wipe-and-replace operation, not incremental. One way would be to use a script to do it, although that would need to run in a context with sufficient permissions, so either using an existing user account that already has local admin rights, or as a machine startup script. The relevant command to go into a script would be:
net localgroup administrators
Jeremy Moskowitz, a Microsoft Most Valuable Professional (MVP) and Microsoft Certified Systems Engineer (MCSE), is an independent consultant and trainer for Microsoft Windows technologies. He runs two community forums, www.GPanswers.com and www.WinLinAnswers.com, that answer tough questions about Group Policy and Windows/Linux integration. Jeremy's latest book, Windows and Linux Integration: Hands-on Solutions for a Mixed Environment (Sybex, 2005), is available at WinLinAnswers.com. His popular book, Group Policy, Profiles, and IntelliMirror (Sybex, 2005) is available at www.GPanswers.com.
This was first published in November 2006