×

Loading...
Ad by
Ad by

@Calgary

请教对Windows 2003 Group Policy 熟悉的专家:有没有什么好办法实现非Active Directory的multiple local GPO?

holdon(again)
具体需求:
用户有个Terminal Service Server ( 非 domain server), 上面有上百个用户,希望普通用户logon时几乎所有功能都被锁死,只允许运行指定程序。

我查了下发现windows 2003 只有一个local GPO, 以后的 Vista 会支持 multiple local GPO. 目前我的临时解决办法是logon as administrator, 先用gpedit.msc 锁定功能,然后马上运行regedit 去掉对administrator的锁定。 但是这样做比较麻烦,而且如果以后用户需要有更多不同权限的用户组就没办法了。其实这些policies 都是注册表键,开发个软件让windows2000/ 2003 支持多组Group Policies 应该不难。有谁用过类似的软件吗?
(#3105684@0)
Last Updated: 2006-7-27
This post has been archived. It cannot be replied.
Report

Replies, comments and Discussions:

  • 工作学习 / 专业技术讨论 / 请教对Windows 2003 Group Policy 熟悉的专家:有没有什么好办法实现非Active Directory的multiple local GPO? -holdon(again); 2006-7-27 {541} (#3105684@0)
    具体需求:
    用户有个Terminal Service Server ( 非 domain server), 上面有上百个用户,希望普通用户logon时几乎所有功能都被锁死,只允许运行指定程序。

    我查了下发现windows 2003 只有一个local GPO, 以后的 Vista 会支持 multiple local GPO. 目前我的临时解决办法是logon as administrator, 先用gpedit.msc 锁定功能,然后马上运行regedit 去掉对administrator的锁定。 但是这样做比较麻烦,而且如果以后用户需要有更多不同权限的用户组就没办法了。其实这些policies 都是注册表键,开发个软件让windows2000/ 2003 支持多组Group Policies 应该不难。有谁用过类似的软件吗?
    • in xp, there is "Microsoft Shared Computer Toolkit for Windows XP " for different user. Do you mind tell me how to "regedit 去掉对administrator的锁定". Thanks -bjduck(BB&PP); 2006-7-27 (#3105789@0)
      • 谢谢。看了看microsoft网站,这个toolkit 应该是我需要的功能的一部分,但是没有group policies 那一块. -holdon(again); 2006-7-27 {256} (#3106098@0)
        group policies 实际上都是通过注册表完成的,修改gpo会造成所有用户注册表相应改变。把这些值改回去就会去掉锁定。这些值大部分在
        \HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

        我在想如果自己开发一个这样的软件,不知道会有多大市场。
        • but do u need to change everytime. For GP will reload every time when u log on. maybe u can use log on script change the key. -bjduck(BB&PP); 2006-7-27 (#3106509@0)
          • No. From my test result, GP will only reload when you change the GPO. So you only need to change it after you run gpedit. I also found a FAQ on Microsoft: -holdon(again); 2006-7-27 {474} (#3106609@0)
            http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx


            Q.My users have made changes to Internet Explorer settings, and I'm expecting Group Policy to reapply our corporate standards. Why does it not reapply?
            A.If there is no change to a GPO, policy does not apply. If users change their trusted sites, policy will not change them back unless you actually update the GPO and trigger a refresh. Without a change, Group Policy will not process.
    • if you post more details of your network infrastructure, domain architecture, I might be able to give you some suggestions.:) -iamta(iamta); 2006-7-27 (#3106695@0)
      • 咳咳,没有domain archtecture。就一台windows 2003 server, 客户通过remote desktop 登陆,在server上执行程序。 -holdon(again); 2006-7-28 (#3108826@0)
        • hoho, then no need for group policy -iamta(iamta); 2006-7-28 (#3108851@0)
          • how do you restrict 100 user's logon, only allow them to run the assigned icon shotcut on desktop? -holdon(again); 2006-7-28 (#3108884@0)
    • If you only want user to run a program, not multi program icons. you can set user login profile "Start Up Program section " Good luck -swimmingfish2000(向前看); 2006-7-29 (#3110839@0)
      • Should be Environments under user properties -swimmingfish2000(向前看); 2006-7-29 (#3110845@0)
        • 不行啊,每个用户现在有两个程序,以后还要加。 -holdon(again); 2006-7-30 (#3111455@0)
    • 如果不用GPO,只使用分组权限,让普通用户组成员只对某些特定程序目录有执行权限不行吗? -akoei(停车**枫林晚); 2006-7-31 (#3113880@0)

More Topics

  • 老程序员第一次用copilot的一点点体会
  • 现在社区游泳池招救生员巡逻,过一会还要不停的点人头,这工作是否很快就被AI代替了,装一个摄像头后面是AI处理系统,这样只招一个等着救人就行了,人头沉下水一定时间立马强光照射,还可以分析水下人的状况来判断是否溺水等
  • 新冠疫苗引发心肌炎? 最新研究这样看
  • 这道几何题有解吗?
  • SAM 2 Demo
    • 枫下论坛主坛工作学习专业技术讨论