[Samba] gpedit.msc as centralized policy for 2k/xp clients

Ulrich Kohlhase Ulrich.Kohlhase at t-online.de
Sun Mar 16 18:49:23 GMT 2003


> Is it possible to apply these at logon? through/via logon scripts to
> centralize admin? I believe the user side is not applied till login
> anyway? regards, Richard Coates.

LGPOs are applied at logon, at least the user-specific part. The
machine-specific part comes to effect after rebooting the system. As I
understand the GPO stuff usually depends on an AD environment if (more or
less time consuming) LGPO tweaking on each and every non AD local machine is
not an option. In the document you mentioned
The answer to question 6.2 says the scripting possibilities are limited so
logon scripts probably won't work. This GPO stuff is very powerful and
interesting in terms of user and machine restrictions but MUCH more
complicated compared to the NT4 policy scheme (sigh). I don't have time to
investigate any further on this right now, sorry.

After applying LGPOs the users profile folders contain the following files:

May be it's possible to set up LGPOs on one computer and copy "ntuser.pol"
(GPO settings) and "ntuser.ini" (profile Exclusion List) to users profile
folders on other machines? Just guessing and hoping there's a clean and easy
solution ...

The following guide provided by MS may be of interest too:

Good luck,

> On Fri, 2003-03-14 at 03:30, Ulrich Kohlhase wrote:
>> We use local (!) GPOs on our Win2k clients with great success:
>> - log on to "master" workstation as administrator
>> - create a link to the "C:\WINNT\system32\GroupPolicy" folder on
>> your administrator's desktop 
>> - optionally add gpedit.msc to mmc (add snapin ...)
>> - change settings in GPOs to fit your needs or your company's
>> security policy (especially admin templates)
>> - export and import on other workstations or clone "master"
>> workstation

More information about the samba mailing list