[Samba] gpedit.msc as centralized policy for 2k/xp clients

K. Hawkes k.hawkes at darknyte.force9.co.uk
Sun Mar 16 19:00:36 GMT 2003

You sound like you are having the same problem we did at our site.

The key is to get Win2K SP3, get the POLEDIT.EXE file out of it.
Search local hard disks for .ADM files, load these into POLEDIT.
This will give you most of GPEDIT's functionality but inside POLEDIT, it may
be an idea to convert the .ADMs to standard TEXT, NOT Unicode just for

Hope this helps.

K. Hawkes

----- Original Message -----
From: "Ulrich Kohlhase" <Ulrich.Kohlhase at t-online.de>
To: <samba at lists.samba.org>
Sent: Sunday, March 16, 2003 6:49 PM
Subject: Re: [Samba] gpedit.msc as centralized policy for 2k/xp clients


> Is it possible to apply these at logon? through/via logon scripts to
> centralize admin? I believe the user side is not applied till login
> anyway? regards, Richard Coates.

LGPOs are applied at logon, at least the user-specific part. The
machine-specific part comes to effect after rebooting the system. As I
understand the GPO stuff usually depends on an AD environment if (more or
less time consuming) LGPO tweaking on each and every non AD local machine is
not an option. In the document you mentioned
The answer to question 6.2 says the scripting possibilities are limited so
logon scripts probably won't work. This GPO stuff is very powerful and
interesting in terms of user and machine restrictions but MUCH more
complicated compared to the NT4 policy scheme (sigh). I don't have time to
investigate any further on this right now, sorry.

After applying LGPOs the users profile folders contain the following files:

May be it's possible to set up LGPOs on one computer and copy "ntuser.pol"
(GPO settings) and "ntuser.ini" (profile Exclusion List) to users profile
folders on other machines? Just guessing and hoping there's a clean and easy
solution ...

The following guide provided by MS may be of interest too:

Good luck,

> On Fri, 2003-03-14 at 03:30, Ulrich Kohlhase wrote:
>> We use local (!) GPOs on our Win2k clients with great success:
>> - log on to "master" workstation as administrator
>> - create a link to the "C:\WINNT\system32\GroupPolicy" folder on
>> your administrator's desktop
>> - optionally add gpedit.msc to mmc (add snapin ...)
>> - change settings in GPOs to fit your needs or your company's
>> security policy (especially admin templates)
>> - export and import on other workstations or clone "master"
>> workstation

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list