Re: Editing GP

Yes, that's one of the disadvantages of not using AD, it's much
more difficult to filter a local policy with a security group than
a Group Policy.

However, it is possible. This is what another frequent poster here,
TP, has posted in this newsgroup (the list of instructions might
frighten you at first, but it's very detailed):

Here are the instructions for a standalone 2003 server, which can
be summarised with:
1. create a group and user (steps 1 - 4)
2. set permissions and ownership on three folders and a file (steps
5 - 23)
3. create a shortcut (steps 24 - 27)

INITIAL SETUP

This should be done before attempting any changes to
Group Policy settings.

1. Logon as an administrator
2. Open up Computer Management from Administrative Tools
3. Create a new local group named "GP Editors"
4. Create a new local user named "gpedit". Assign this user
a password, and check "password never expires". Make
this user a member of the GP Editors group.
5. Open up windows explorer and browse to the following
folder (make sure that view hidden files is enabled):
C:\WINDOWS\system32\GroupPolicy
6. Right-click on the GroupPolicy folder and Properties -
Security - Advanced
7. Click the Add button, enter GP Editors in the Select User or
Group dialog, and click OK
8. Check Full Control under the Allow column, and click OK
9. Check "Replace permission entries on all child objects with
entries shown here that apply to child objects"
10. Click the Apply button and confirm Yes twice.
11. On the Owner tab, click the Other Users and Groups button,
enter GP Editors, and click OK.
12. Check "Replace owner on subcontainers and objects"
13. Make sure GP Editors is selected in the Change Owner to list.
14. Click the OK button to change the owner, click OK to close
the GroupPolicy Properties
15. Within the GroupPolicy folder, right-click on the Machine
folder, and choose Properties - Security
16. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
17. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
18. Within the GroupPolicy folder, right-click on the User folder,
and choose Properties
19. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
20. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
21. Within the GroupPolicy folder, right-click on the gpt.ini file,
and choose Properties
22. On the Security tab, select Administrators on the top, and
check Full Control under the Deny column
23. Click OK to save the Deny permission you just made, confirm
by answering Yes twice
24. Right-click on the desktop and choose New-->Shortcut
25. Enter the following in the location box:
runas /user:gpedit "%windir%\system32\mmc gpedit.msc"
26. Click Next, and enter "Edit Group Policy" for the name
27. Click Finish

MODIFYING GROUP POLICY SETTINGS

1. Logon using the account you used for the intitial setup
2. Double-click on the Edit Group Policy shortcut
3. Enter the password for the gpedit account
4. Edit the policies as needed
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?R2VyVGhlQ2FudWNr?=
<GerTheCanuck@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 10 maj 2007 in
microsoft.public.windows.terminal_services:

I thank you very much for you help on this matter and I did find
what you pointed me to very useful, however I want the
restrictions that I set up to be applicable to users only not
administrators and I am not seeing that this is possible in a
non domain, non-active directory situation. I really do not
need all the bells & whistles that a domain offers as this is
just for a small office with few users with very minimal
requirements. TS is the basically the sole purpose of using this
OS. Any further help would be greatly appreciated

"Vera Noest [MVP]" wrote:

You have a bit of caching up to do :-)

You'll want to set a local policy on the 2003 server. The
editor for that is gpedit.msc
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?R2VyVGhlQ2FudWNr?=
<GerTheCanuck@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 09 maj 2007
in microsoft.public.windows.terminal_services:

I am currently setting up Server 2003 TS - non Domain.
We are currently running Win NT 4 TS running for the last 6
years in a Domain atmosphere so I am used to it.

All users access by TS, In NT4 TS I could use "System
Policy Editor" to restrict the users access to such things as
the Run Command, changing the display etc. How do I do this
in the server 2003 - non domain system. In NT 4 you had to
each user individually can this be done for an entire group.

Sorry I am just so use to NT 4 I may be just overlooking the
obvious.
.