Re: Same question, still no answer!!!
From: pjp (pjp_is_located_at__at__hotmail_._com)
Date: Mon, 29 Mar 2004 17:21:56 -0400
Sounds then like we are all paying for a feature set only large companies
actually need, want or use. That doesn't seem right to me.
I'll state what I have , what I want and what I found.
I presently have five networked pc's running 98SE. One of them is more than
capable of being upgraded to XP Pro. In fact I've done the dual-boot then
thrown it all away in frustration 4/5 times already now. All the pc's are
networked, running both Netbuie and TCP/IP. The Netbuie for file and print
sharing and TCP/IP so I can test etc. internet stuff without having to
actually connect to Internet as I live in a rural area with only slow dialup
Two of the pc's have a dialup connection setup. The "main" pc's dialup is
used solely by itself but one of the 98SE pc's runs a proxy server to
accommadate the other 3 pc's being able to also connect to the net (they
don't have modems). The "proxy server" pc is actually an older box stuffed
with hard disks, both ide and scsi and is used primarily as a hard disk
server (for lack of a better term). Hardly ever does anyone actually sit
down and use that pc (as a side note, 98SE on it and it typically goes
months between reboots). Note none of this is setup using Window's Internet
Connection Sharing but rather the "traditional" way with my filling in all
the appropriate blanks, distributing Hosts file (so a "named" pc's IP can be
determined), installing and setting up the proxy, http, ftp, irc, news,
email and media servers (all 3rd party apps). There is no domain, ip or
whatever server running on this network, instead each pc has been manually
assigned an ip address, e.g. 192.168.0.x; 255,255,255,0.
None of it is password protected, instead being ... if it's shared it's
available to all. Hence, basically the "proxy server" pc is more or less
wide open to ethernet connections (some apps are "installed" on it for all
to use) but the other 4 pc's all only share a "temp" folder. Printers are
shared and available to all (four total in house). I do not allow NetBios
over TCP/IP and I have Netbuie as my primary protocol, the TCP/IP being used
only for the "internet" type stuff.
I had hoped that when I upgraded this "main" pc to XP pro I could
Expectation #1) keep the ethernet more or less as is.
Experienced : I accomplished that by installing the third party Netbuie
protocol provided on the install cd. I had some frustration setting it up
and getting the "defaults" out of the way but without changing anything on
the 98SE boxes, I successfully had all printers working as expected (2
inkjets, laser and dot matrix) and all shared folders etc. working as
expected. I didn't like that I couldn't seem to be able to disabled Netbios
over TCP/IP like I could within 98SE but as none of the other boxes use it,
I let that one slide. I also noticed "browsing" the ethernet wasn't as
"smooth" as under 98SE.
Conclusion : Felt I had accomplished task #1
Expectation #2) I could setup individual user accounts with separate
"abilities" for each account, e.g. I'm administrator, wife is a "power user"
and my two kids are each only allowed access to specific "features etc."
with them not neccessaily being "identical", e.g. older kid is allowed more
"access" and to different apps than younger. The kids account would be
restricted in their browsing abilities so they couldn't access folders etc.
I didn't want them to.
Experienced : I was able to change the wife's account to Power User but then
all the normal change password dialogs etc. didn't seem to know what group
she even belonged to!!! Regarding limiting the kids individually, NO clue
except figure out how to create additional restrictions in newly created
groups and then assign each user to their own "group". I haven't figured out
how to do that and have basically dumped XP Pro because without this it's
adds nothing to what I can now do under 98SE.
Conclusion : Without this, XP pro's useless to me as it adds nothing but
obstruction, compromise and loss of speed to equation. Note : XP Pro did a
couple of nice crashes on me during testing so it's really no better than
98SE at it. Rebooting instead of blue screen isn't a solution to the
Expectation #3) could allow a Guest account with VERY restricted feature
set. Specifically do nothing AND see nothing but what I placed on the
desktop, e.g. can't browse folders, right-click anything, no start menu
(just logoff) and a host of other things.
Experienced : Seems you can do some of the above, but couldn't find anywhere
to dictate many restrictions I'd want placed on this account (for example,
no right click on desktop to even see anything let alone be able to change
anything). Note : creating a "normal" user account for "anyone" and disable
this Guest account just moves the problem to item #2.
Conclusion : why did they bother then?
Expectation #4) allow the guest account access to internet thru IE but not
allow downloading anything etc. etc. Guest account refused to have anything
to do with the dialup connection even though it's specified as "Allow all to
use". I assume this is a built-in restriction.
Experienced : I was blown away by how easy this was circumvented!!! When
logged in as Guest I was allowed to fill in the blanks to get to the proxy
server over the ethernet and then had internet no problem!!!
Conclusion : So much for well though out security if I could do that
without any real underlying knowledge and NO prior experience with XP at
All I want is to allow my wife to do things my older kids can't and for the
youngest to be even further restricted in what they 1) can do and 2) they
can even see. I expected individual control over features as detailed as
"allow right click", "home folder is root folder", dictate specific apps can
only be run, restrict even being able to "detect" there's other drives on
system (e.g. burner doesn't even show in MY Computer) etc. etc.
That's what I expected from XP Pro.
What I didn't expect was that some of what I want demands NTFS formatted
hard disk(s). Something I definitely don't want until such a day that I can
put in a simple floppy disk (e.g. ala DOS days) with enough tools on it etc.
that I can manually retireve data with no obstructions in place of any sort)
if the need arises. Least staying Fat32 assures me of that, e.g. boot using
DOS and copy whatever you like. If I don't want to allow that there's 1)
take floppies physically out of system and 2) set BIOS password and 3) get
box that can still use a physical key ala old AT days so there's no keyboard
and/or mouse even if/when connected if pc's "locked".
My experiences to date have simply confirmed a friend of mine (pc vendor)
who said (and I quote) 'XP holds nothing for you.'. Appears he was right as
all it seems to do is place more incumbrances on my using my own pc, e.g.
take Crypotology and DRM etc. crap and shove it. I don't want, need or plan
to use any of that so why should it even be included let alone (presumably)
have my purchase price reflect the cost to put it there.
Problem #2 is the big killer for me. In fact, what I've repeatedly been
asking for "how to do" since I did the first XP install. It's my primary
reason for any interest in XP. To the extent that as it stands now I'm not
even considering getting an OS for my next box, I'll put 98SE on it also
(and probably put Linux on the freed up pc, I've never sold an old one yet)
if it's really as it's seemed to me so far. Note : ten pc site license here,
98 beta testing gift so it's no additional expense and in fact saves me
money as I wouldn't be buying anything OEM anyway, I buy exclyusively clones
with components I specify or I buy elsewhere..
Further questions ask please.
"David Candy" <email@example.com> wrote in message
Because it designed to work with a domain server. It has some basic
facilities if there is no server available.
You can't apply policy, only security, to security groups. Without a domain
server you can only apply policy to everyone. You can never apply policy to
a user only to organisation units in a domain..
There are ways of forcing more granular application. But you don't say if
it's a domain or not.
This is why network admins get paid a lot.
Actually you don't say anything at all just generalities. It is not possible
to answer. Employ someone or state exactly what you want.
-- ---------------------------------------------------------- http://www.g2mil.com/Dec2003.htm "pjp" <pjp_is_located_at_@_hotmail_._com> wrote in message news:edZLG4bFEHA.1376@TK2MSFTNGP10.phx.gbl... > Please, some one tell me how to "control" a specific individual user rather > than the whole group? > > Group polocies obviously control every user in that group and yet > although I've "think" I've found how to create new groups it appears > actually specifiying policy for that group is "problamatic". Additionally, > it seems absurd one would have to basuically create a new group to place > every single login user into their own group so that the policies for that > group would only be applied to only that user. > > Is it really "all of nothing" for everyone in that group and that's it!!! > > If you can't tell me how, can someone at least answer if it's even possible > using "right out of the box" tools. Even if it has to be direct registry > editing acceptable. 3rd party tools seems an unacceptable solution but > obviously if they exist (which Doug's tool seems to suggest) then the > documentation at least for doing what I want must exists somewhere. The > question then becomes where? > > It's a pretty simple idea, given two user logins ... > > I want user1 to be able to do this1, this2, this3 and not this4 > > where-as > > I want user2 to be able to do this1, not this2, not this3 but allow this4. > > Supposedly a modern, multi-tasking, multi-user operating system (XP Pro at > least is touted as such) and it seems damn near impossible to get that done > "out of the box" which has me completely confused about what the hell is > going on? > > >