×

Loading...
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。
Ad by
  • 最优利率和cashback可以申请特批,好信用好收入offer更好。请点链接扫码加微信咨询,Scotiabank -- Nick Zhang 6478812600。

@Florida

请教对Windows 2003 Group Policy 熟悉的专家:有没有什么好办法实现非Active Directory的multiple local GPO?

holdon(again)
具体需求:
用户有个Terminal Service Server ( 非 domain server), 上面有上百个用户,希望普通用户logon时几乎所有功能都被锁死,只允许运行指定程序。

我查了下发现windows 2003 只有一个local GPO, 以后的 Vista 会支持 multiple local GPO. 目前我的临时解决办法是logon as administrator, 先用gpedit.msc 锁定功能,然后马上运行regedit 去掉对administrator的锁定。 但是这样做比较麻烦,而且如果以后用户需要有更多不同权限的用户组就没办法了。其实这些policies 都是注册表键,开发个软件让windows2000/ 2003 支持多组Group Policies 应该不难。有谁用过类似的软件吗?
(#3105684@0)
Last Updated: 2006-7-27
This post has been archived. It cannot be replied.
Report

Replies, comments and Discussions:

  • 工作学习 / 专业技术讨论 / 请教对Windows 2003 Group Policy 熟悉的专家:有没有什么好办法实现非Active Directory的multiple local GPO? -holdon(again); 2006-7-27 {541} (#3105684@0)
    具体需求:
    用户有个Terminal Service Server ( 非 domain server), 上面有上百个用户,希望普通用户logon时几乎所有功能都被锁死,只允许运行指定程序。

    我查了下发现windows 2003 只有一个local GPO, 以后的 Vista 会支持 multiple local GPO. 目前我的临时解决办法是logon as administrator, 先用gpedit.msc 锁定功能,然后马上运行regedit 去掉对administrator的锁定。 但是这样做比较麻烦,而且如果以后用户需要有更多不同权限的用户组就没办法了。其实这些policies 都是注册表键,开发个软件让windows2000/ 2003 支持多组Group Policies 应该不难。有谁用过类似的软件吗?
    • in xp, there is "Microsoft Shared Computer Toolkit for Windows XP " for different user. Do you mind tell me how to "regedit 去掉对administrator的锁定". Thanks -bjduck(BB&PP); 2006-7-27 (#3105789@0)
      • 谢谢。看了看microsoft网站,这个toolkit 应该是我需要的功能的一部分,但是没有group policies 那一块. -holdon(again); 2006-7-27 {256} (#3106098@0)
        group policies 实际上都是通过注册表完成的,修改gpo会造成所有用户注册表相应改变。把这些值改回去就会去掉锁定。这些值大部分在
        \HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

        我在想如果自己开发一个这样的软件,不知道会有多大市场。
        • but do u need to change everytime. For GP will reload every time when u log on. maybe u can use log on script change the key. -bjduck(BB&PP); 2006-7-27 (#3106509@0)
          • No. From my test result, GP will only reload when you change the GPO. So you only need to change it after you run gpedit. I also found a FAQ on Microsoft: -holdon(again); 2006-7-27 {474} (#3106609@0)
            http://technet2.microsoft.com/windowsserver/en/technologies/featured/gp/faq.mspx


            Q.My users have made changes to Internet Explorer settings, and I'm expecting Group Policy to reapply our corporate standards. Why does it not reapply?
            A.If there is no change to a GPO, policy does not apply. If users change their trusted sites, policy will not change them back unless you actually update the GPO and trigger a refresh. Without a change, Group Policy will not process.
    • if you post more details of your network infrastructure, domain architecture, I might be able to give you some suggestions.:) -iamta(iamta); 2006-7-27 (#3106695@0)
      • 咳咳,没有domain archtecture。就一台windows 2003 server, 客户通过remote desktop 登陆,在server上执行程序。 -holdon(again); 2006-7-28 (#3108826@0)
        • hoho, then no need for group policy -iamta(iamta); 2006-7-28 (#3108851@0)
          • how do you restrict 100 user's logon, only allow them to run the assigned icon shotcut on desktop? -holdon(again); 2006-7-28 (#3108884@0)
    • If you only want user to run a program, not multi program icons. you can set user login profile "Start Up Program section " Good luck -swimmingfish2000(向前看); 2006-7-29 (#3110839@0)
      • Should be Environments under user properties -swimmingfish2000(向前看); 2006-7-29 (#3110845@0)
        • 不行啊,每个用户现在有两个程序,以后还要加。 -holdon(again); 2006-7-30 (#3111455@0)
    • 如果不用GPO,只使用分组权限,让普通用户组成员只对某些特定程序目录有执行权限不行吗? -akoei(停车**枫林晚); 2006-7-31 (#3113880@0)

More Topics

  • 看大家讨论日语,俺也正在认真学习。其实语言问题应该是很快也很容易就解决的,可能比自动驾驶来的还快。TREK里面,全宇宙的人都在大脑里安装了UNIVERSAL TRANSLATOR,外星人之间相互交流无障碍。废话少说,看视频。。。加上个MIC和耳机,不同国家的人就可以无障碍交流。
  • 肉脸真有搞 IT 的?Linux 把俄国中国伊朗踢出去了好像肉脸 IT 没啥感觉似的
  • 请问web developer和software developer技术上有什么区别?
  • Elon Musk 带着川普总统奔向火星了。
  • 扔硬币的实验研究
    • 枫下论坛主坛工作学习专业技术讨论