Give this a try... On a standalone system, you can start the Group policy editor by click START | RUN, type in MMC, click File | Add/Remove Snap-in, click Add, scroll and highlight Group Policy, click Add, take default local machine and select Finish, click Close, click OK and you can then modify the local security policy.
For information on how to implement this on a stand-alone system, see IAT Services Knoledgebase article: How to create and invoke policies on Windows 2000 not in the Active Directory. At https://iats.missouri.edu/servlets/knowledgebase/articles/29981 Below is a basic GPO settings that were used to help lock down a 2K Pro system. Depending on your setup/applications you will need to tailor and this is not ment to be a step-by-step guide, but an example. Remember this must be done in conjunction with NTFS File permissions. Hope this helps, Jason Lee IAT Services, LaDS [EMAIL PROTECTED] GPO Policy changes from the default template --------------------------------------------- [Computer Configuration] Administrative Templates Network Offline Files - Disabled Enabled (i.e. no Offline is disabled) - Enabled Disabling user configuration of Offline files Network and Dial-up Connections - Enabled Prohibit configration of connection sharing Printers - Disabled Allow printers to be published. [User Configuration] Windows Settings Internet Explorer Maintenance Browser User Interface - Changed Browser Title URLS - Set Favorites on top Added STARMU Link Added IATS Knowledgebase Link - Set Important URLS to: Homepage: http://www.mutigers.com Search: http://www.google.com Support: http://iatservices.missouri.edu - Set existing channels to be deleted if present Security - Imported content setting to not allow: Moderate Language No Sex No Nudity Moderate Violence *note: this only occurs if the HTML author codes a rating into the page. i.e. not a replacement for SurfWatch or equivalent app. - Set so that users and visit sites with no ratings. - Changed password to 'password' Folder Redirection Desktop - Set to: <UNC Path stripped for privacy> My Docuemtns - Set to: D:\"My Documents"\ *note: you could write a script that routinely cleans this folder. Start Menu - Set to: <UNC Path stripped for privacy> [Administrative Templates] Windows Components Internet Explorer - Enabled Disabling external branding of Internet Explorer - Enabled Disabling changing home page settings - Enabled Disabling changing ratings settings - Enabled Disabling AutoComplete for forms - Enabled Disabling AutoComplete to save passwords Internet Control Pannel - Disabled Advanced page Offline Pages - Disabled adding channels Windows Explorer - Enabled Remove Map Network Drive and Disconnect Network Drive - Enabled No "Computers Near Me" - Enabled No "Entire Network" Task Scheduler - Enabled all options (6 total) to prevent users from messing with scheduler. Start Menu & Taskbar - Enabled Add Logoff to Start Menu - Enabled Disabling Drag/Drop context to Menus on Start Menu - Enabled Disabling changes to Taskbar and Start Menu settings - Enabled Disabling personalized menus Desktop - Enabled Hide My Network Places icon - Enabled Do not add shares of recently opened docs... - Enabled prohibiting user from changing My Documents Path - Enabled don't save settings on exit Active Desktop - Enabled disabling - Enabled Prohibit changes - Enabled Prohibit addming items - Enabled Prohibit editing items - Enabled Active Desktop Wallpaper Set to <Path stripped for privacy> Set to stretch Active Directory - Enabled Hide Active Directory Folder Control Panel - Enabled Disabling Control Panel Display - Enabled Disabling changing wallpaper - Enabled Hide Settings tab - Enabled Hide Screen Saver tab - Enabled Activate screen saver - Disabled Password protect screen saver - Enabled Screen Saver timeout Set to 15 min (900 sec) Network - Enabled Prohibit connecting and disconnect RAS - Enabled Prohibit access to prop. of LAN con. - Enabled Prohibit access to current user's RAS - Enabled Prohibit access to properties of RAS conn. - Enabled Prohibit adding/removing commpents to LAN or RAS - Enabled Prohibit access to properties of components of LAN con. - Enabled Prohibit access to properties of compenents of RAS con. - Enabled Prohibit access to Network Connection wizard - Enabled Prohibit access to Dial-up Preferences - Enabled Prohibit access to Advanced Settings - Enabled Prohibit configuration of connection sharing - Enabled Prohibit TCP/IP advanced configuration System - Enabled Disabling registry editing tools Logon/Logoff - Enabled Disabling Lock Computer -----Original Message----- From: Giardina, dhr. N.(ICTS) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 19, 2001 12:09 AM To: NT 2000 Discussions Subject: RE: W2K Pro Policies Hi, Could I get the required steps to build a template............Please ......... ? > -----Oorspronkelijk bericht----- > Van: Charles E Carson [SMTP:[EMAIL PROTECTED]] > Verzonden: dinsdag 18 december 2001 19:57 > Aan: NT 2000 Discussions > Onderwerp: RE: W2K Pro Policies > > Policy editor is intended for NT. > > A better way is to create a security template, then import and apply > it to all machines. The steps should be documented on Microsoft's > website. > > If you can't find more info, send me an e-mail and I'll give you the > steps that I've done when we used to have W2K laptops on an NT domain. > > Charles Carson > Network Administrator > Southwest Student Services > > -----Original Message----- > From: Mike Schmidt [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, December 18, 2001 11:06 AM > To: NT 2000 Discussions > Subject: RE: W2K Pro Policies > > > The registry. In Policy Editor, choose open registry. Works for me. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Don Schenk > Sent: Sunday, December 16, 2001 11:57 PM > To: NT 2000 Discussions > Subject: W2K Pro Policies > > Greetings, > > I have a small group of PCs at work that are on an isolated segment > and do not logon to a domain. I created a policy for the users that > logon on them, things like removing the search from the startup menu, > can't lock the workstation, etc. What I can't figure out is, since > they are in a workgroup, where to put the *.POL file. > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
