The following is a collection of expert responses to reader questions by Derek Melber.
We have recently upgraded to Windows 2003. The migration went smoothly, however my Group Policy from Windows 2000 is not migrating. Any ideas? They are there, but the clients are not seeing them.
Derek Melber: When you do a migration, was it an in-place upgrade or a side-by-side migration? If the former, the GPOs will just be there on all of the DCs still. If the latter, you will need to use a tool like the GPMC to migrate them from one domain to the other. You will need to run the GPMC on a Windows XP or Windows Server 2003 box in your old domain, since it requires these OSs. There is a built-in backup and restore option, which will allow you to move the GPOs around. You will most likely also need to use the Migration Tables in the GPMC to convert between SIDs and other references between the two domains.
I came across something recently that I found a little troublesome: 99% of my users are logging into Windows 2000 terminal servers with roaming profiles. I have my Group Policy configured so that they are not allowed to save downloads from the Internet, but if they choose the Open option instead of Save, a user is able to install a downloaded program from the Internet, without having to save it anywhere first. I have my Group Policy configured so that my users do not have the privileges to install applications, also.
Am I totally missing something here? Is there a simple policy setting to disable the Open option that I just overlooked?
DM: This can typically be directed back to the fact that you are allowing the users to be administrators on the box, even in the Terminal Services session. If they are not administrators, they should not be able to install most of these applications. If all of these applications are add-ons, there are new controls for add-ons in the Group Policy settings for Windows XP SP2 and greater. I can't find any setting myself that can control the Open vs. Save issue that you are talking about.
I have worked with a Windows 2000 server for a long time and have now started to test a small business server using 2003 premium. I have two things that I can't seem to figure out.
1. I join an XP client with Service Pack 2 and all updates. The client cannot control any of the Internet settings (such as security zones). The security zone is set too high and cannot be changed. I wish to make this changeable by the user.
2. The same client cannot turn the firewall off. It's permanently on and grayed out for the 'off' option.
Maybe I am blind, but I have searched high and low in Group Policy, and cannot find where this is controlled from. I have a feeling that both problems are related to Group Policy though. Please help!!!
DM: I tend to agree that Group Policy is causing this behavior, but just in case, you will need to check the Resultant Set of Policies (RSoP) on the Windows XP client by running rsop.msc from the Run option on the Start bar. After running the RSoP, maneuver down to the following nodes to determine if these settings are being controlled by a Group Policy locally or at the Active Directory level.
Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall User Configuration|Windows Settings|Internet Explorer Maintenance|Security|Security Zones and Content Ratings
Can I hide the Start Menu and Taskbar per user (not computer) logon with Group Policy? This would be for a Windows 2000 environment. Any help would be greatly appreciated.
DM: There are a suite of settings to control the Start Menu sections and the Taskbar sections under
User Configuration|Administrative Templates|Start Menu
and Taskbar node. These settings allow you to granularly control what the user will see at logon. These settings are not per computer, but rather per user. These settings will take effect when the user logs on to their computer, as well as at the 90 minute background refresh interval that is set within Group Policy. If this level of control is not enough, you can also look at a solution like PolicyMaker Standard Edition, which allows further control of the Start Menu.
I am using Windows 2000 Task Scheduler to run a batch file. I have changed the Group Policy entry for Local Security so that a user is authorized to logon as batch file. The task scheduler starts the job, and shows an end time, but does not execute the job (bginfo.exe).
Any ideas? Is there anywhere else that I should make policy adjustments?
DM: Each application that you launch via the Task Scheduler, either through policy or on the local computer, has its own unique permission requirements. The BGINFO application is no different. I ran the BGINFO.EXE through a scheduled task and kept the interface visible to the user. The application popped up and counted down. Then, it errored, indicating that the user did not have permissions. Upon further review, the user did not have permission to store the new bitmap to the %WinDir% directory. I changed the directory (under Bitmap|Location menu) to the local users directory. When I reran the scheduled task, it worked just fine. I did not need any special user rights.
Taking this one step further, you might want to consider deploying this in another way. For example, you could repackage this as an MSI and deploy through Group Policy software distribution, which would run at an elevated privilege. You could also look into a solution like PolicyMaker Application Security. This solution will allow you to elevate privileges for just specified applications, such as BGINFO.EXE. PolicyMaker Standard Edition also provides an easy way for your to distribute the BGINFO.EXE file through a file transfer policy.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore. He also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.