RE: Questions Re: users/groups, security and GPOs

Hi,

Thanks for using the SBS newsgroup!

For your description, I understand that you have some questions to group
policy. If I am off base, please don't hesitate to let me know.

To "Survey" group scenario:

Yes, you can do as you said.

--Create a group policy object to redirect these 5 users' My Documents to
the server box

--Configure these 5 user accounts have read and/or write permissions to
these folders.

To "OfficeDept" group scenario:

You can set Excel/Word applications' default Save Location as the public
folder location. In this way, these users' default Save Location will point
to the public folder location. But we can not enforce all Excel/Word
documents saved to the location since users can change the save location to
another location manually. For your convenience, I have test the issue and
list the steps for your reference:

1. Log on one workstation, change the following registry key's value to the
public folder of the server box:
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft
Office Word\Settings\Modify Location\File Name MRU

2. Export the registry key to a .reg file and than save it to server box.

3. Create a new group policy object and set it as follows:

Open the group policy object Editor, locate item of

Computer Configuration\Administrative Templates\System\Logon\Run these
Programs at user logon, double click it to open its Properties page. Check
box of Enabled and click Show button and click Add button to add the .reg
file here. Click OK twice to finish it.

To "accounts" machine scenario:

You can create a new group policy object and disable all features you don't
want it use. You question seems to be obscure. Such as: you can set a fixed
desktop and hide icons that you don't want it use. Or disable users use
some specified programs and Drives. Or you want to the user can only access
internet and can not access any files or applications on the computers?

I would like to suggest you take a look at the following articles:

323525 HOW TO: Restrict Users from Running Specific Windows Programs in
Windows
http://support.microsoft.com/?id=323525

231289 Using Group Policy Objects to Hide Specified Drives in My Computer
for
http://support.microsoft.com/?id=231289

261241 HOW TO: How to Hide Selected Control Panel Tools in Windows 2000
http://support.microsoft.com/?id=261241

818465 HOW TO: Use Group Policy to Permit Users to Redirect and Play Audio
in a
http://support.microsoft.com/?id=818465

321707 HOW TO: Automatically Run Programs When Users Log On to Windows 2000
http://support.microsoft.com/?id=321707

321476 How to Change the Default Permissions on Group Policy Objects in
Windows
http://support.microsoft.com/?id=321476

320181 HOW TO: Use the Application Security Tool to Restrict Access to
Programs
http://support.microsoft.com/?id=320181

314953 HOW TO: Use Group Policy to Deploy Windows XP in a Windows 2000-Based
http://support.microsoft.com/?id=314953

310125 HOW TO: Prevent the Last Logged-On User Name from Being Displayed in
http://support.microsoft.com/?id=310125

More information:

Group Policy Overview:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/6eed436f-5b05-4eaa-9525-c0c429fcf9f6.mspx

Create or delete a Group Policy object
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/4f8dd800-e0e3-44a6-8a4a-d3d34b245fe7.mspx

Hope it helps! If you have any further question on the issue please let me
know. I am happy to be assistance of you!

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>From: "remove-for-spam parpenbhwarg at gmail dot com"
<parpenbhwarg@xxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Questions Re: users/groups, security and GPOs
>Date: 7 Dec 2005 04:31:47 -0800
>Organization: http://groups.google.com
>Lines: 29
>Message-ID: <1133958707.839376.262890@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>NNTP-Posting-Host: 81.154.181.162
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>X-Trace: posting.google.com 1133958712 12439 127.0.0.1 (7 Dec 2005
12:31:52 GMT)
>X-Complaints-To: groups-abuse@xxxxxxxxxx
>NNTP-Posting-Date: Wed, 7 Dec 2005 12:31:52 +0000 (UTC)
>User-Agent: G2/0.2
>X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Opera 8.50,gzip(gfe),gzip(gfe)
>Complaints-To: groups-abuse@xxxxxxxxxx
>Injection-Info: g14g2000cwa.googlegroups.com; posting-host=81.154.181.162;
> posting-account=_7nX3g0AAAA8_wzBQlDB97s-UQ7fpbC1
>Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!postnews.google.com!g14g2000cwa.googlegroups.com!not-for-mail
>Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:228381
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>With my limited server OS knowledge, I'm struggling to get my head
>round certain things in SBS 2K3! My situation is as follows:
>
>We currently have 6 workstations live on the server and need to add a
>further 5. CALs are not a problem as 15 have been bought to accomodate
>for additional users. The current workstations are "survey1" through to
>"survey4", "internetpc" (for POP3 access to BT Internet e-mail) and
>"accounts". The survey workstations frequently require access to each
>others documents which is accomplished by sharing their user folder on
>the server (rubbish security!).
>
>The additional 5 users will be "officedept1" - "officedept5" and have
>created a public share along with a logon script to map the drive (P:).
>
>My proposal is to house the survey users in to a "survey" group with
>security set up accordingly so that only Authenticated Users in the
>"survey" group can access each others documents. Would this be
>sufficient security?
>
>As for the office administration users, these will be housed in a
>"OfficeDept" group. Is it possible using a GPO (I have downloaded the
>Office ADM templates) to assign all users within the "OfficeDept" group
>to save their Word/Excel documents to the public share (P:)?
>
>Lastly, the "accounts" machine only requires access to the Internet but
>does run Sage. What security policies should I apply to this user?
>
>Any help is greatly appreciated, thanks in advance.
>
>

.