\[Editor's Note: Share your NT discoveries, comments, and solutions and reach out to other Windows NT Magazine readers (including Microsoft). Email your contributions (under 400 words) to Karen Forster at karen@winntmag.com. Please include your phone number and a photo (.bmp) of yourself. We will edit submissions for style, grammar, and length. If we print your letter, you'll receive $100.\]

In our corporate environment, we needed an efficient way to create a standard Windows NT 3.51 environment that we could lock from user tampering. We also wanted to avoid going to every PC to manually standardize every desktop. By using a few simple tools that ship with NT and the Microsoft Windows NT Resource Kit for NT 3.51, we can control every aspect of the security of the standard user environment--for example, we can prevent the user from changing the properties of an icon or from moving icons around on the screen. This standardization has saved our support staff hundreds of hours in configuring user desktops.

The first step is to create a new user profile (such as ProfileAdmin) that you use to configure the NT desktop. Give this user profile Administrator rights on the local NT workstation. Next, you want to set up a prototype NT PC where you will create the custom configuration.

After you log on as ProfileAdmin from your prototype PC, configure the desktop to your liking (see the NT manuals for information on user profiles and Knowledge Base Article Q128624 at http://www.microsoft.com/kb/articles/q128/6/24.htm for options you can configure). You can configure properties such as desktop wallpaper, screen saver, Program Manager groups, and icons. Screen 1 shows our standard desktop setup.

Notice that we added a Warrantech Information Systems group as a Common group. This group contains all necessary programs for any user who logs on to this NT machine. We can make any changes to the default system setup in this Common group, and any user who logs on to this PC will immediately see the changes. This group is also completely safe from user tampering because only members of the Administrator group can make changes to Common program groups.

Because Common groups are specific to a particular NT machine, we faced re-creating this group on every machine we wanted to standardize. To overcome this limitation, we used two utilities from the Resource Kit, regtogrp.exe and grptoreg.exe, as you see in Screen 2.

These utilities convert the Registry settings for the program groups to .grp files and vice versa. This capability lets you copy program groups from one PC to another.
At the command prompt, you type

regtogrp

to create the .grp files for your program groups. We're just interested in the Common group (Warrantech Information Systems) we created. Regtogrp inserts the letter c at the beginning of each common program group's name and removes any spaces. So, in our case, regtogrp wrote the group to the cwarrantechinformationsystems.grp file. Copy this file and grptoreg.exe to a central location. Also, create a small batch file that you can double-click in File Manager to execute the necessary command:

GRPTOREG /o /c cWarrantechInformationSystems.grp

Finally, after you create all the groups and configure all the settings, run the User Profile Editor, upedit.exe, that comes with NT Server or the Resource Kit. Screen 3 shows the User Profile Editor. You can set the restrictions according to your network policies (refer to the upedit.hlp file for details). After you make these settings, select File, Save As from the menu and enter a filename with a .man extension. This extension will prevent any accidental changes to the profile.

Next, go into User Manager and open the properties for the ProfileAdmin user. Click the Profile button, and enter the full path name (I suggest using a universal naming convention--UNC--path) and filename of the newly created profile for the User Profile Path option.

Finally, to standardize an NT workstation, log on to the target PC as ProfileAdmin. Make sure the ProfileAdmin user is part of the local Administrator group (only administrators can create Common program groups). NT will load the profile and the desktop will appear as you set it up, except without the Common group. Go into File Manager and double-click the batch file you created to run the grptoreg program. The Common group will appear.

Next, open the User Profile Editor program (which you need to copy to the home directory for ProfileAdmin). Select File, Save As User Default from the menu to save the default desktop settings for anyone who has not signed on to this particular PC before. Now, whenever anyone new logs on to this PC, they will have the standardized desktop.


Point-to-Point Tunneling Protocol
Imagine that you want to connect to your home network over the Internet but you don't have a direct connection to the Internet and you haven't bothered to obtain a static IP address from your Internet Service Provider (ISP). You can still connect to your home network via Remote Access Service (RAS) with Point-to-Point Tunneling Protocol (PPTP) by following a few steps.

  1. Install and configure RAS to use regular telephone lines on your machine and your home server.
  2. Install PPTP and Virtual Private Network (VPN) ports on both machines.
  3. Configure the VPN port on the server to receive calls.
  4. Add an entry for your ISP in Dial-Up Networking (DUN) on your server, and dial your ISP.
  5. Open the DUN monitor on your server (mine is in Startup and appears in the system tray on the task bar). Select the Summary tab, and double-click the entry for your ISP. Note the IP address.
  6. Start RAS on your server.
  7. Go to the DOS prompt on either your machine or your home server and type
    ping -A ###.###.###.### where # is the IP address you noted in step 5.
  8. You will see the message
    Pinging \[###.###.###.###\] with 32 bytes of data:
  9. Dial up your ISP from your machine.
  10. From your machine, open the properties for the Phone Book connection to your home server, and change the Dial Using entry to the VPN port and change the phone number to the hostname.domainname.type from step 8.
  11. Click Dial, and enter your username and password.

Because the IP address and the matching host name that the ISP assigns you are dynamic, you may have to step through this process every time your server connects to your ISP.