Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 459
  • Last Modified:

Disable Change Password option to students

We are an educational establishment with a network consisting of approx 200 machines, 50 or 60 of which are win2k. I have tried applying the registry amendments to stop kids pressing ctrl+alt+del and changing their passwords (by 'greying out' the change password option not disabling ctrl+alt+del). The problem i have found is that the reg key needs to be amended on the Local_Machine and also current_user. I need to know if there is a better way to disable the change password option in win2k than applying the regedit amendments which are troublesome to say the least. Any information would be greatly appreciated.
0
xmark66
Asked:
xmark66
1 Solution
 
oBdACommented:
Ahem - what's wrong with the option "user cannot change password" in user properties?
0
 
sramesh2kCommented:

Registry is the better method:
http://support.microsoft.com/?kbid=309799
0
 
sramesh2kCommented:

You may also use the minimum passwordage feature:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;273004
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
MSGeekCommented:
There are two ways to accomplish this.  First for your Win2k clients you can enable the Group Policy under the system.adm template, uder Administrative Templates - System - Logon/Logoff - Disable Change Password - set to enabled.

On the Win9x machines you will have to use extensible policies and Poledit.exe to create a policy file for these workstations.   We accomplished by grouping several templates togther to developa Main.pol file which we put on the sysvol.  As they logon any changes made to the main.pol get propogated out to the Win9x computers.

In order to use system policies you must enable user profiles. After user profiles are enabled, many user specific changes made to the workstation (i.e. print capturing, proxy server settings) will only apply to the user who made them. When connected to a network, your user profile will follow you to each workstation that has user profiles enabled. This can cause confusion and make it very difficult to make changes to a workstation once profiles are enabled.

User profiles can be disabled without disabling system policies as follows. Remove all history for all users at the workstation by deleting the C:\WINDOWS\PROFILES subdirectory on the workstation with the autoexec. With a registry edit made via policies the user information is no longer copied to the server. The workstation is then forced to build all “profile” information from the local workstation. This allows you to easily make changes that will affect all future users of that workstation without affecting any other workstations on the network. One downfall is that every time you log in you get the “You haven’t logged in to this …..Would you like to save your …..” prompt every time you login to a workstation.

Implementing policies involves making a policy file with a policy editor. The policy editor requires a template file that basically dictates what registry entries can be modified with policies

Tools: TOOLS\RESKIT\NETADMIN\POLEDIT

You'll need  to implememnt;

[HKEY_LOCAL_MACHINE\Network\Logon]
"PolicyHandler"="GROUPPOL.DLL,ProcessPolicies"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSNP32\NetworkProvider]
"GroupFcn"="GROUPPOL.DLL,NTGetUserGroups"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NWNP32\NetworkProvider]
"GroupFcn"="GROUPPOL.DLL,NWGetUserGroups"

There are several deafult adm files on in the poledit directory.  I

The following operations need to be performed on a workstation for policies to be enabled and for group support.

-Control Panel | Add/Remove Programs | Windows Setup | Have Disk | …..\poledit | Group Policies
-Run Poledit, File | Open Registry | Local Computer | Network | Update | Remote Update | Manual  
(\\servername\sys\public\main.pol), (Check Display Error Message)
Add (Deltree /Y C:\WINDOWS\PROFILES) to autoexec.bat

The workstation setup can be automated with a login script or a batch file as follows.

     Map ROOT J:=\\Server\POLICY
     COPY J:GROUPPOL.DLL C:\WINDOWS
     COPY J:GROUPPOL.REG C:\WINDOWS
     COPY J:AUTOEXEC.BAT + C:\AUTOEXEC.ADD C:\AUTOEXEC.BAT     (autoexec.add has Deltree command)
     REGEDIT GROUPPOL.REG
     REGEDIT REMPOL.REG

Bonus to block downloads in IE:
HKEY\localuser\software\microsoft\windows\currentversion\internet settings\zones\3

change the key value of key 1803 from 0 to 1   (zero to one)
0
 
CleanupPingCommented:
xmark66:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
MSGeekCommented:
xmark66.. you never responed to my last post, did it help?  MSGeek.

CleanupPing.. if there is no response I would object to a refund and/or deletion.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now