Mac OS X Server,  Windows XP

Windows XP: Managing Policies for a Single Workstation

Not all environments are Active Directory. If you have a smaller Mac OS X Open Directory environment with a PDC you may want to leverage policies if you don’t have the more complicated needs of AD. This can be setup in your image and then pushed out from there, but will not update dynamically as is otherwise possible when using a netlogon share and adm files. From Windows Server 2003 or Windows XP there are two utilities that can be used to create policy lists. The first is Group Policy Object Editor, gpedit.msc. The second is secpol.msc.   For the purposes of this document we will use gpedit.msc as it provides most of what is available in secpol and far more granular policies for workstation control. To open GPO Editor click on start then click run and then type gpedit.msc. Now you will be looking at two sections, Computer Configuration and User Configuration. Computer Configuration controls global settings such as password policies and Log on Locally. For the most part these can typically be left as-is.

The User Configuration will show a folder called Administrative Templates. Open this and you will see Windows Components, which are Windows XP applications, such as Terminal Services (RDC), Windows Media Player, Windows Update, Windows Explorer, etc. An example of setting these policies is to use the Windows Media/Playback/Prevent Codec Download policy to prevent the downloads of Windows Media Player Codecs. Start Menu and Taskbar can be used to configure settings in the start menu and task bar (seems pretty straight forward, right?). For example, you can use the Remove Run Menu from Start Menu to configure the system not to show a run dialog box in the Start Menu. Some other items you can do here include locking the taskbar, showing users the classic Start Menu, disable history of recently opened documents or remove Run/My Pictures/My Music/My Network Places/Favorites from the start menu.

User Configuration also allows you to configure the Desktop using the Desktop subfolder. For example, the Properties dialog box can be removed from My Documents, My Computer or Recycle Bin. Or you could remove My Computer, My Documents or Recycle Bin from the desktop completely. You can also block users from adjusting desktop toolbars or hide the Network Places and/or Internet Explorer Icon on the desktop.

User Configuration is also where you can allow or disallow specified groups of users access to the Control Panel using the Control Panel sub-set of folders. Control Panel not only includes the Control Panel but also includes Printing, Language, Add/Remove Programs, etc. You can limit which Control Panel items are displayed to end users or just prohibit any users from accessing any Control Panels. You can also perform more finely grained access control for certain Control Panel items. For example, you can allow a user access to the Display Control Panel and allow them to enable a Screen Saver there but disable the ability to change the wallpaper. You could also force a password to wake a system from Screen Saver mode. The Add or Remove Programs sub-folder will allow you to limit users from being able to install software or allow you to limit certain options within the software installation wizard. Through the Printers sub-folder you can limit whether a user can add or delete printers, or limit them from being able to browse to printers. Shared Folders can be used to disable a users ability to share folders. Network can be used to limit users from changing TCP/IP, NIC or other items that involve the network stack. Network can also be used to set offline file caching settings. System has a number of settings that can be configured, including profile quota’s (under User Profiles), login script behavior (under Scripts), Task Manager and computer locking (under Ctrl+Alt+Del Options), the ability to start programs at login (under Logon), GPO controls such as refresh intervals (under Group Policy – although many of these will not be enforceable if you are not using a domain) and finally Movie Maker and HTTP printing (using Internet Communications).

There are a lot of policies. If you’re curious about what a specific policy will do then you can use the Extended view (by clicking on Extended on the bottom nav bar). Using the Extended view, system requirements (version of Windows, etc) will be listed and a description of what the policy will do will be displayed on the left hand side of the screen. If you are comfortable with what a policy will be doing, you can double-click on the policy and configure the settings for it.

Once you have customized the policy to your liking then you can export it for your records. To export a policy, right-click on the Computer Configuration or User Configuration and click on Export List. Save it as a txt or csv using a naming convention that makes sense (for example it might be called creatives, students, teachers, accounting, etc.). You can also export both Computer and User Configurations using the Local Computer Policy as your export point.