Group Policy on non-networked XP workstations?

By lfruchter ·
Oh help please, wise ones...

I just took charge of a school that has a pile of wifi Win XP laptops (Dells and Lenovos). The laptops connect to the Internet wirelessly through signaling stations in the classrooms, but there's no school file server and no administrative server to which I have access. I must currently administer each laptop individually. I'm planning on changing this, of course, but for now I need a quick fix.

The user Groups available on the laptops (User, PowerUser, Administrator, etc.) are not so helpful for laptops in schools. I read the useful article "Lock down user desktops with Group Policy" and was hoping to use Group Policy to modify the standard XP user accounts. The Administrative Templates appear to give me every kind of control I want, but they also seem to apply these controls to every single user. Is this accurate? I want to modify certain groups but not others. Is there a way to apply Administrative Templates to only one group?

Thanks for any help,

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Group Policy.....

I have listed some work-arounds below.

Domains vs. Workgroups
In addition to the location and use of the all-important security database, you?ll notice a number of differences?some trivial and some that can have a significant effect on the way you use Windows?when your computer is joined to a domain. Many of these changes are designed to make Windows XP work the same way that Windows 2000 Professional works in a domain environment, which eases the training and support burden on administrators. A domain-based computer running Windows XP Professional differs in the following ways from a workgroup-based computer:

Logon and logoff
Logon screen. The Welcome screen is unavailable in a domain environment. Instead, you use the "classic" logon, which prompts you to press Ctrl+Alt+Delete and then enter your user name (if it isn?t already entered from your last session) and password.

Automatic logon. In a workgroup environment, you can easily set up your computer to log on automatically so that you don?t need to enter your password. (Ironically, you use the domain version of User Accounts to achieve this. In a domain environment, you must delve into the registry to set up automatic logon. In a domain environment, a domain administrator can set up scripts that run automatically each time you log on to your computer. These scripts, which are typically stored and administered on the domain controller, can be used to provide software updates, new virus definitions, and other information to your computer; set up network connections; start programs; and perform other tasks. A computer that?s not joined to a domain can?t run domain logon scripts. Although you can create local logon scripts for workgroup computers, they?re generally less powerful and, of course, they?re not centrally managed for all computers on the network.
Forgotten passwords. With the classic logon that?s used in a domain environment, password hints aren?t available. Nor can you create or use a Password Reset Disk, which allows you to set a new password if you can?t remember your current one. A domain administrator can change the password for your domain account. Any user who is a member of the local Administrators group can change the password for any local account.
Fast User Switching. Fast User Switching, an awesome feature that allows a user to log on without requiring the current user to first log off, is not available on domain-based computers. Application compatibility and other technical issues prevent its use. For information about Fast User Switching, see "Configuring Fast User Switching."
Workstation locking. On a computer that?s joined to a domain, pressing the Windows logo key+L locks a workstation so that only the currently logged on user or an administrator can unlock it. (In a workgroup, Windows logo key+L invokes Fast User Switching.) For details about locking, see "Logging Off or Locking Your Computer."
Logoff and Shutdown screens. Instead of the big, colorful buttons that appear when you choose to log off or shut down a workgroup computer, a computer joined to a domain displays dialog boxes similar to those in Windows 2000. They serve the same function and they?re no harder or easier to use; they are simply intended to ease the transition to Windows XP for corporate users.

To shut down a domain-based computer, you select from a list and click OK. Windows displays your previous selection as the default option.
File sharing and security
Simple File Sharing. Although the option to enable Simple File Sharing remains in the Folder Options dialog box (and indeed, it?s selected by default), Simple File Sharing is not available in a domain environment.
Without Simple File Sharing, the Security tab appears in the properties dialog box for all printers and for all folders and files on NTFS drives. When you?re logged in as a member of the local Administrators or Power Users group, the Sharing tab, with which you set network access permissions, appears in the properties dialog box for all folders.

Most important, without Simple File Sharing, network users are authenticated as themselves. To access local resources, their account must be granted appropriate permissions, either directly or through their membership in a group.

Shared Documents. On computers in a workgroup environment, the local Shared Documents folder, %AllUsersProfile%\Documents, occupies a prominent place in My Computer. Particularly when Simple File Sharing is enabled, it is the default and easiest location for storing folders and files that you want to share with other users on your computer or on your network.
When your computer is joined to a domain, however, you?re likely to forget that Shared Documents exists. My Computer no longer includes a Files Stored On This Computer group. If your computer was in a workgroup and you ran the Network Setup Wizard before you joined a domain, the folder continues to be shared as SharedDocuments. If you have not run the Network Setup Wizard, the folder is not set up as a network share by default. Either way, by default only local users and groups have permissions to access the folders and files within Shared Documents. If you want to grant permissions to domain users, you should add the appropriate domain groups to the folder?s access control list (ACL). For information about modifying the ACL, see "Controlling Access with NTFS Permissions."

Network Setup Wizard. The Network Setup Wizard, which is designed to help you set up a home or small office network, does not run on a computer that?s joined to a domain. For information about the Network Setup Wizard, see "Using the Network Setup Wizard."
Network Tasks. When you open My Network Places, the links that appear in the task pane vary depending on whether your computer is part of a workgroup, a Windows NT domain, or an Active Directory domain, as shown in Figure 33-3. In addition, your options for browsing and searching the network vary. For details, see "Finding Files, Printers, and Users."
Computer and user management
User Accounts. When you open User Accounts in Control Panel, you get a different version depending on whether your computer is joined to a domain or not. The two versions have similar capabilities; the difference is more style than substance. The workgroup version follows the newer style of Windows XP, complete with graphics and links to wizard-like dialog boxes. For information about the work-group version of User Accounts, see "Working with User Accounts,"

Note that Shared Documents appears in Other Places only in a workgroup. You can browse computers in a domain by clicking Entire Network.
The domain version uses a traditional dialog box that?s nearly identical to its Windows 2000 predecessor.

Group Policy. A computer in a workgroup or in a non?Active Directory domain can use the local Group Policy Object to make a largenumber of settings and impose a number of restrictions?but these settings and restrictions apply to only a single computer, and they apply to all users on that computer. In a domain with Active Directory, many more Group Policy settings are available. More important, they?re centrally managed and they can be selectively applied to computers, users, groups, domains, and other divisions. This is a huge topic that?s covered in great depth in the resource kits for the Windows 2000 Server and Windows .NET Server families. You can learn about local Group Policy?and get a hint of the power available in domain-based policy?by reviewing "Controlling User Capabilities with Group Policy."
Miscellaneous user interface elements
Ctrl+Alt+Delete. In a domain environment, pressing Ctrl+Alt+Delete displays the Windows Security dialog box, shown in Figure 33-4, a time-honored path to options for locking, logging off, shutting down, and other tasks. In a workgroup that?s configured to use the Welcome screen for logons, pressing Ctrl+Alt+Delete opens Windows Task Manager. (In fact, this behavior is linked to the Welcome screen, not domain membership per se.)

Many longtime Windows NT and Windows 2000 users are in the habit of pressing Ctrl+Alt+Delete and then Enter to lock their workstation.

Please post back if you have anymore problems or questions.

Collapse -

Short answer is no?

by lfruchter In reply to Group Policy.....

Thanks for all the information! I did pick out the following: "these settings and restrictions apply to only a single computer, and they apply to all users on that computer."

I'm taking this to mean that there is no way to use the Group Policy Object to set different privileges for different user Groups on a non-networked workstation. Have I got this right?

Collapse -

Pretty much

by Kjell_Andorsen In reply to Short answer is no?

Well, it is possible in a domain where you can have different GPOs apply to different OUs (organizational Units within Active Directory).

Group policies were never really meant for Standalone or workgrouped computers, and while it is possible to mimmick some functionality with local group policy and security settings you are severly limited as to what you can do.

The short answer is that I can't think of a way for you to do what you say you want to do using local group policy.

Collapse -

Sort of

by IC-IT In reply to Group Policy on non-netwo ...

You can set the policy(ies) you desire and then deny access to the policies with NTFS permissions.
For a brief tutorial and other ideas, check this link.

You may want to test this program from Doug Knox. Free to test, $50 for an academic license.
Per user Group Policy Restrictions for XP Home and XP Pro

Collapse -

Thanks again!

by lfruchter In reply to Sort of

That GP hack with the copying and replacing of the settings is neat, but still only yields 2 customized states and I need at least 3. I checked out the Doug Knox utility and LOVE it. That should tide me over until I can get a proper network up and running here. Thanks to everyone!

Collapse -

Glad to help, Thanks for the Thumb <NT>

by IC-IT In reply to Thanks again!

Related Discussions

Related Forums