POLEDIT

  • Thread starter Thread starter xamigax@gmail.com
  • Start date Start date
X

xamigax@gmail.com

Guest
Hi there!

I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each)
into barcode readers.
The society I have my mission in wants to have W98se on them (for many
PCs won't be supporting more than this, plus we need USB to work for
WiFi keys).

I have set up a prototype wich is perfectly working for it's supposed
to do.

Here's the prototype description:
Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader
application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers


Since the company does NOT want users to do anything BUT barcode, I
used POLEDIT to set up few restrictions (well, when I'm saying few
that very much "understatement"!).

I have set up two users:
administrator: no restriction at all, of course.
cbar: almost everything is forbiden (I can post the poledit settings)

Since W98 logon also allow to "escape" from login, I managed (just
can't remember how!) to copy cbar settings to the default user.

So, as said before, the proto is working fine.
Few people will have enough knowledge to tweak the security, for all
users have access to is the keyboard & the mouse (I know F8 is still a
solution while booting).

My problem is that I am now struggling to have the same settings on
the others machines.

All machines are ready to work, but none of them is "secured".
I wanted to know if anyone has any idea on how to duplicate the
POLEDITed security from one PC to the others.

My main trouble is the very large range of different machine: I tried
to use Acronis TrueImage, but the machine reboot is then endlessly
trying to add new hardware/drivers.

Any help VERY welcome!


Share & Enjoy,
Manolo
 
Re: POLEDIT

1 open poledit on the secure pc
2 save the settings to a policy (.pol) file

3a copy the .pol file to each pc's root folder
4a point the local poledit on each pc load from the policy file
or
3b save the .pol file to an accessible network shared folder
4b point each network pc to that shared policy file

3b 4b is easier to maintain, and modify the policies
There is a good howto on 'network policies on a stand alone computer' at
microsoft.
Go to www.dougknox.com for a regedit &.vbs script to force login, no escape
key.
--
-- -- -- -- --
Adaware http://www.lavasoft.de
spybot http://www.safer-networking.org
AVG free antivirus http://free.grisoft.com/
Etrust/Vet/CA.online Antivirus scan
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Super Antispyware http://www.superantispyware.com/
Panda online AntiVirus scan http://www.activescan.com
Panda online AntiSpyware Scan
http://www.pandasoftware.com/virus_info/spyware/test/
Catalog of removal tools (1)
http://www.pandasoftware.com/download/utilities/
Catalog of removal tools (2)
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?CID=40387
Trouble Shooting guide to Windows http://mvps.org/winhelp2002/
Blocking Unwanted Parasites with a Hosts file
http://mvps.org/winhelp2002/hosts.htm
links provided as a courtesy, read all instructions on the pages before
use
Grateful thanks to the authors/webmasters
_
<xamigax@gmail.com> wrote in message
news:755f1e12-6d04-4e92-ac63-328fc3c00e26@i29g2000prf.googlegroups.com...
> Hi there!
>
> I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each)
> into barcode readers.
> The society I have my mission in wants to have W98se on them (for many
> PCs won't be supporting more than this, plus we need USB to work for
> WiFi keys).
>
> I have set up a prototype wich is perfectly working for it's supposed
> to do.
>
> Here's the prototype description:
> Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader
> application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers
>
>
> Since the company does NOT want users to do anything BUT barcode, I
> used POLEDIT to set up few restrictions (well, when I'm saying few
> that very much "understatement"!).
>
> I have set up two users:
> administrator: no restriction at all, of course.
> cbar: almost everything is forbiden (I can post the poledit settings)
>
> Since W98 logon also allow to "escape" from login, I managed (just
> can't remember how!) to copy cbar settings to the default user.
>
> So, as said before, the proto is working fine.
> Few people will have enough knowledge to tweak the security, for all
> users have access to is the keyboard & the mouse (I know F8 is still a
> solution while booting).
>
> My problem is that I am now struggling to have the same settings on
> the others machines.
>
> All machines are ready to work, but none of them is "secured".
> I wanted to know if anyone has any idea on how to duplicate the
> POLEDITed security from one PC to the others.
>
> My main trouble is the very large range of different machine: I tried
> to use Acronis TrueImage, but the machine reboot is then endlessly
> trying to add new hardware/drivers.
>
> Any help VERY welcome!
>
>
> Share & Enjoy,
> Manolo
 
Re: POLEDIT



<xamigax@gmail.com> wrote in message
news:755f1e12-6d04-4e92-ac63-328fc3c00e26@i29g2000prf.googlegroups.com...
| Hi there!
|
| I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each)
| into barcode readers.
| The society I have my mission in wants to have W98se on them (for many
| PCs won't be supporting more than this, plus we need USB to work for
| WiFi keys).
|
| I have set up a prototype which is perfectly working for it's supposed
| to do.
|
| Here's the prototype description:
| Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader
| application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers
|
|
| Since the company does NOT want users to do anything BUT barcode, I
| used POLEDIT to set up few restrictions (well, when I'm saying few
| that very much "understatement"!).

Let's hope so. If you left anything open which should have been shutdown,
someone will likely find it.

|
| I have set up two users:
| administrator: no restriction at all, of course.
| cbar: almost everything is forbidden (I can post the poledit settings)

You could post them, I suppose unless someone complains first.

|
| Since W98 logon also allow to "escape" from login, I managed (just
| can't remember how!) to copy cbar settings to the default user.

|
| So, as said before, the proto is working fine.
| Few people will have enough knowledge to tweak the security, for all
| users have access to is the keyboard & the mouse (I know F8 is still a
| solution while booting).
|
| My problem is that I am now struggling to have the same settings on
| the others machines.
|
| All machines are ready to work, but none of them is "secured".
| I wanted to know if anyone has any idea on how to duplicate the
| POLEDITed security from one PC to the others.
|
| My main trouble is the very large range of different machine: I tried
| to use Acronis TrueImage, but the machine reboot is then endlessly
| trying to add new hardware/drivers.
|
| Any help VERY welcome!
|
|
| Share & Enjoy,
| Manolo

AlmostBob posted some suggestions related to how to address the policies,
others may join in ...

Policies can be difficult to set up, but there is some information
available on the Internet.
In that regard I have created a small page of some of the settings you may
want to check.

http://peoplescounsel.orgfree.com/ref/gen/security/after_policies.htm

NOTE: this is nowhere near a definitive work, just some things to check
after/during policy creation [or locking down a local network]... check the
Internet for other.. My page presumes you have already shut-down the most
common issues that may be related.

--
MEB
http://peoplescounsel.orgfree.com
________
 
Re: POLEDIT

On 30 nov, 14:20, xami...@gmail.com wrote:
> Hi there!
>
> I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each)
> into barcode readers.
> The society I have my mission in wants to have W98se on them (for many
> PCs won't be supporting more than this, plus we need USB to work for
> WiFi keys).
>
> I have set up a prototype wich is perfectly working for it's supposed
> to do.
>
> Here's the prototype description:
> Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader
> application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers
>
> Since the company does NOT want users to do anything BUT barcode, I
> used POLEDIT to set up few restrictions (well, when I'm saying few
> that very much "understatement"!).
>
> I have set up two users:
> administrator: no restriction at all, of course.
> cbar: almost everything is forbiden (I can post the poledit settings)
>
> Since W98 logon also allow to "escape" from login, I managed (just
> can't remember how!) to copy cbar settings to the default user.
>
> So, as said before, the proto is working fine.
> Few people will have enough knowledge to tweak the security, for all
> users have access to is the keyboard & the mouse (I know F8 is still a
> solution while booting).
>
> My problem is that I am now struggling to have the same settings on
> the others machines.
>
> All machines are ready to work, but none of them is "secured".
> I wanted to know if anyone has any idea on how to duplicate the
> POLEDITed security from one PC to the others.
>
> My main trouble is the very large range of different machine: I tried
> to use Acronis TrueImage, but the machine reboot is then endlessly
> trying to add new hardware/drivers.
>
> Any help VERY welcome!
>
> Share & Enjoy,
> Manolo



Thanks both of you for answering.
I finally found a way to duplicate all policies quite easily (easier
than having to set-up each one of the remaining PCs).
Help welcomed, even if some of the suggestions could not be done
(company 's decision).
Like having the policy on a network location.

Plus I faced *many* troubles having exactly the same settings doing
exactly the same results!
Do I need to blame the poor W98 multi-user capabilities, the high
variety of hardware involved from one PC to another...?
Or both :-)

So, here's what I ended with:
I set up Poledit on each PC, then only define the users I need
(Administrator & BarCode), leaving all settings to default.
Then I copy the user.dat (3 different: default user + admin + barcode)
into their respective folders.
And the job seems to be done!

I successfully "secured" one machine doing so, now trying for a second
one (can't believe how often I am asked to help poor educated users
around the building... Costing me a lot of time & energy.

I'll come back later to post the result I got doing things the way I
am...
So if someone needs help in the future (is there still a future for
W98, appart from industrial company like the one I am working for?),
he might found these posts usefull.


Share & enjoy,

Manolo
 
Re: POLEDIT

On 3 déc, 13:11, xami...@gmail.com wrote:
> On 30 nov, 14:20, xami...@gmail.com wrote:
>
>
>
> > Hi there!

>
> > I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each)
> > into barcode readers.
> > The society I have my mission in wants to have W98se on them (for many
> > PCs won't be supporting more than this, plus we need USB to work for
> > WiFi keys).

>
> > I have set up a prototype wich is perfectly working for it's supposed
> > to do.

>
> > Here's the prototype description:
> > Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader
> > application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers

>
> > Since the company does NOT want users to do anything BUT barcode, I
> > used POLEDIT to set up few restrictions (well, when I'm saying few
> > that very much "understatement"!).

>
> > I have set up two users:
> > administrator: no restriction at all, of course.
> > cbar: almost everything is forbiden (I can post the poledit settings)

>
> > Since W98 logon also allow to "escape" from login, I managed (just
> > can't remember how!) to copy cbar settings to the default user.

>
> > So, as said before, the proto is working fine.
> > Few people will have enough knowledge to tweak the security, for all
> > users have access to is the keyboard & the mouse (I know F8 is still a
> > solution while booting).

>
> > My problem is that I am now struggling to have the same settings on
> > the others machines.

>
> > All machines are ready to work, but none of them is "secured".
> > I wanted to know if anyone has any idea on how to duplicate the
> > POLEDITed security from one PC to the others.

>
> > My main trouble is the very large range of different machine: I tried
> > to use Acronis TrueImage, but the machine reboot is then endlessly
> > trying to add new hardware/drivers.

>
> > Any help VERY welcome!

>
> > Share & Enjoy,
> > Manolo

>
> Thanks both of you for answering.
> I finally found a way to duplicate all policies quite easily (easier
> than having to set-up each one of the remaining PCs).
> Help welcomed, even if some of the suggestions could not be done
> (company 's decision).
> Like having the policy on a network location.
>
> Plus I faced *many* troubles having exactly the same settings doing
> exactly the same results!
> Do I need to blame the poor W98 multi-user capabilities, the high
> variety of hardware involved from one PC to another...?
> Or both :-)
>
> So, here's what I ended with:
> I set up Poledit on each PC, then only define the users I need
> (Administrator & BarCode), leaving all settings to default.
> Then I copy the user.dat (3 different: default user + admin + barcode)
> into their respective folders.
> And the job seems to be done!
>
> I successfully "secured" one machine doing so, now trying for a second
> one (can't believe how often I am asked to help poor educated users
> around the building... Costing me a lot of time & energy.
>
> I'll come back later to post the result I got doing things the way I
> am...
> So if someone needs help in the future (is there still a future for
> W98, appart from industrial company like the one I am working for?),
> he might found these posts usefull.
>
> Share & enjoy,
>
> Manolo



Back for more:

As said in this previous post, my choice was to duplicate USER.DAT
from one PC to the others.
Things turned out to be much easier this way.
I now have 17 machines, working perfectly the way the company wanted
them to!
After we (company's responsibles & I) validated the first "prototype",
I did an image (thanks acronis!) of the entire disk...

I picked up the machine I had set up earlier, wich were held in the
archives room, to aply the policies on them, one by one.

I had installed each PC with all the "barcode" application requiered:
Win98SE (USB support for Wifi)
MSInstaller2.0
IE5.5 (most "economical" choice, since most PC are old and with little
(64Mo) RAM)
DotNet2.0
NOO_RemotePC (barcode app)

believe me: a lot of reboot for each machine :-) !

Then I "fine" tuned each:
Telling W98 that users can have their own profiles,
Adding two users to the default "esc on login": admin + cbar
Having once logged each and cleaned up their desktop & start menu

Install the "POLEDIT" manager
copy the "config.pol" from the prototype

Then replacing each "USER.DAT" with the one I copied form my
prototype.
Here the trick:
by default all users have "all rights"

So the order you copy the "USER.DAT" DOES matter.
So, when you're ready to have your policies copied, "escape" the login
request.
Then replace the USER.DAT located in "c:\windows\profiles\admin\" & "c:
\windows\profiles\cbar\" with the ones from your prototype.
Restart the PC (DO NOT LOG OFF)
Log in as admin
Then replace the "c:\windows\user.dat" with the one form your
prototype.
Then restart (DO NOT LOG OFF)
You now have your 3 "profiles" working 100%

Don't forget to save some "image" (Acronis True Image, still the best)
of the result!
My last advice:
do multiple images, so you can have various "restoration points" (IE:
before replacing all USER.DAT is a minimum if you don't want to have a
full reinstall to be requiered, in case of troubles)

So, my prime mission is successfull; I can now give more time to
poorly skilled, and way too few "updated knowledges" (talking from a
computer point of view) employes ;-) !


Share & Enjoy,

Manolo
 
Re: POLEDIT



<xamigax@gmail.com> wrote in message
news:cbf586fc-50e0-43df-9e5f-552d5a8fdca0@j20g2000hsi.googlegroups.com...
On 3 dc, 13:11, xami...@gmail.com wrote:
> On 30 nov, 14:20, xami...@gmail.com wrote:
>
>
>
> > Hi there!

>
> > I have to recycle 20 old PCs (from PII to PIV, 64Mo RAM at least each)
> > into barcode readers.
> > The society I have my mission in wants to have W98se on them (for many
> > PCs won't be supporting more than this, plus we need USB to work for
> > WiFi keys).

>
> > I have set up a prototype wich is perfectly working for it's supposed
> > to do.

>
> > Here's the prototype description:
> > Win98se + MSInstaller2.0 + IE5.5 + DotNet2.0 + barcode reader
> > application (NOO_RemotePC, if anyone knows this) + WiFi USB drivers

>
> > Since the company does NOT want users to do anything BUT barcode, I
> > used POLEDIT to set up few restrictions (well, when I'm saying few
> > that very much "understatement"!).

>
> > I have set up two users:
> > administrator: no restriction at all, of course.
> > cbar: almost everything is forbiden (I can post the poledit settings)

>
> > Since W98 logon also allow to "escape" from login, I managed (just
> > can't remember how!) to copy cbar settings to the default user.

>
> > So, as said before, the proto is working fine.
> > Few people will have enough knowledge to tweak the security, for all
> > users have access to is the keyboard & the mouse (I know F8 is still a
> > solution while booting).

>
> > My problem is that I am now struggling to have the same settings on
> > the others machines.

>
> > All machines are ready to work, but none of them is "secured".
> > I wanted to know if anyone has any idea on how to duplicate the
> > POLEDITed security from one PC to the others.

>
> > My main trouble is the very large range of different machine: I tried
> > to use Acronis TrueImage, but the machine reboot is then endlessly
> > trying to add new hardware/drivers.

>
> > Any help VERY welcome!

>

|> > Share & Enjoy,
|> > Manolo
|>
|> Thanks both of you for answering.
|> I finally found a way to duplicate all policies quite easily (easier
|> than having to set-up each one of the remaining PCs).
|> Help welcomed, even if some of the suggestions could not be done
|> (company 's decision).
|> Like having the policy on a network location.
|>
|> Plus I faced *many* troubles having exactly the same settings doing
|> exactly the same results!
|> Do I need to blame the poor W98 multi-user capabilities, the high
|> variety of hardware involved from one PC to another...?
|> Or both :-)
|>
|> So, here's what I ended with:
|> I set up Poledit on each PC, then only define the users I need
|> (Administrator & BarCode), leaving all settings to default.
|> Then I copy the user.dat (3 different: default user + admin + barcode)
|> into their respective folders.
|> And the job seems to be done!
|>
|> I successfully "secured" one machine doing so, now trying for a second
|> one (can't believe how often I am asked to help poor educated users
|> around the building... Costing me a lot of time & energy.
|>
|> I'll come back later to post the result I got doing things the way I
|> am...
|> So if someone needs help in the future (is there still a future for
|> W98, appart from industrial company like the one I am working for?),
|> he might found these posts usefull.
|>
|> Share & enjoy,
|>
|> Manolo
|
|
|Back for more:
|
|As said in this previous post, my choice was to duplicate USER.DAT
|from one PC to the others.
|Things turned out to be much easier this way.
|I now have 17 machines, working perfectly the way the company wanted
|them to!
|After we (company's responsibles & I) validated the first "prototype",
|I did an image (thanks acronis!) of the entire disk...
|
|I picked up the machine I had set up earlier, wich were held in the
|archives room, to aply the policies on them, one by one.
|
|I had installed each PC with all the "barcode" application requiered:
|Win98SE (USB support for Wifi)
|MSInstaller2.0
|IE5.5 (most "economical" choice, since most PC are old and with little
|(64Mo) RAM)
|DotNet2.0
|NOO_RemotePC (barcode app)
|
|believe me: a lot of reboot for each machine :-) !
|
|Then I "fine" tuned each:
|Telling W98 that users can have their own profiles,
|Adding two users to the default "esc on login": admin + cbar
|Having once logged each and cleaned up their desktop & start menu
|
|Install the "POLEDIT" manager
|copy the "config.pol" from the prototype
|
|Then replacing each "USER.DAT" with the one I copied form my
|prototype.
|Here the trick:
|by default all users have "all rights"
|
|So the order you copy the "USER.DAT" DOES matter.
|So, when you're ready to have your policies copied, "escape" the login
|request.
|Then replace the USER.DAT located in "c:\windows\profiles\admin\" & "c:
|\windows\profiles\cbar\" with the ones from your prototype.
|Restart the PC (DO NOT LOG OFF)
|Log in as admin
|Then replace the "c:\windows\user.dat" with the one form your
|prototype.
|Then restart (DO NOT LOG OFF)
|You now have your 3 "profiles" working 100%
|
|Don't forget to save some "image" (Acronis True Image, still the best)
|of the result!
|My last advice:
|do multiple images, so you can have various "restoration points" (IE:
|before replacing all USER.DAT is a minimum if you don't want to have a
|full reinstall to be requiered, in case of troubles)
|
|So, my prime mission is successfull; I can now give more time to
|poorly skilled, and way too few "updated knowledges" (talking from a
|computer point of view) employes ;-) !
|
|
|Share & Enjoy,
|
|Manolo

Thanks for posting back with your results.

The difficulty with our supplying answers to your issues related to your
indications of specific policies required by the company. We could not know
exactly what those were, moreover, you had indicated that these would
over-rule any suggestions that might have been made.

This is not unusual when setting up ANY OS and network with company defined
policies. IT and testing departments [and the like] suffer under those same
issues whenever a portion of the network is changed in some form, be it for
new VISTA computers, a network printer, web access, changes limiting
previous allowed activity, and dozens of other allowances or limits; or as
in your case, machines for consumer and/or other defined simple and/or
specific use.

Many have been in your position before, and many have used something
similar to what you did. Others, however, have needed to proceed in a
different manner, such as: by using the base clone for basic roll-out, but
distribute specific additional setups or updated setups via the master
server(s)..There are numerous *white papers* and other help distributed by
Microsoft and others, but they can only example or provide a direction, as
individual network setups may be close, but need other specialized aspects
addressed on individual segments or specific computers.

Again, thanks for posting your method and successful results. Be aware
though, that you must remain diligent related to these special nodes in the
network, as they require monitoring for potential tweaks and potentially may
still be compromised [sometimes it takes many tweaks to plug the holes, or
the eventual maintenance.
{Hint: People hate being limited on a business's computer, most think that
computer is THEIR'S to use as they wish. Block their external contact with a
firewall and policies, and they will attempt to install an anti-firewall and
bypass those policies; block usage of E-Mail and they will seek a way to
circumvent that; block installation of personal programs and they will ask
somewhere for information on how to circumvent that. Its a never ending
battle. It doesn't really matter whether its 98 or VISTA, if there is a
determined individual, they WILL search for a way around the
restrictions/limitations, and be irate when confronted that they can't do
these things or can be fired when they do.}

Good luck...

--
MEB
http://peoplescounsel.orgfree.com/
________
 
Back
Top