xmark66
asked on
Disable Change Password option to students
We are an educational establishment with a network consisting of approx 200 machines, 50 or 60 of which are win2k. I have tried applying the registry amendments to stop kids pressing ctrl+alt+del and changing their passwords (by 'greying out' the change password option not disabling ctrl+alt+del). The problem i have found is that the reg key needs to be amended on the Local_Machine and also current_user. I need to know if there is a better way to disable the change password option in win2k than applying the regedit amendments which are troublesome to say the least. Any information would be greatly appreciated.
Ahem - what's wrong with the option "user cannot change password" in user properties?
You may also use the minimum passwordage feature:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;273004
There are two ways to accomplish this. First for your Win2k clients you can enable the Group Policy under the system.adm template, uder Administrative Templates - System - Logon/Logoff - Disable Change Password - set to enabled.
On the Win9x machines you will have to use extensible policies and Poledit.exe to create a policy file for these workstations. We accomplished by grouping several templates togther to developa Main.pol file which we put on the sysvol. As they logon any changes made to the main.pol get propogated out to the Win9x computers.
In order to use system policies you must enable user profiles. After user profiles are enabled, many user specific changes made to the workstation (i.e. print capturing, proxy server settings) will only apply to the user who made them. When connected to a network, your user profile will follow you to each workstation that has user profiles enabled. This can cause confusion and make it very difficult to make changes to a workstation once profiles are enabled.
User profiles can be disabled without disabling system policies as follows. Remove all history for all users at the workstation by deleting the C:\WINDOWS\PROFILES subdirectory on the workstation with the autoexec. With a registry edit made via policies the user information is no longer copied to the server. The workstation is then forced to build all “profile” information from the local workstation. This allows you to easily make changes that will affect all future users of that workstation without affecting any other workstations on the network. One downfall is that every time you log in you get the “You haven’t logged in to this …..Would you like to save your …..” prompt every time you login to a workstation.
Implementing policies involves making a policy file with a policy editor. The policy editor requires a template file that basically dictates what registry entries can be modified with policies
Tools: TOOLS\RESKIT\NETADMIN\POLE
You'll need to implememnt;
[HKEY_LOCAL_MACHINE\Networ
"PolicyHandler"="GROUPPOL.
[HKEY_LOCAL_MACHINE\System
"GroupFcn"="GROUPPOL.DLL,N
[HKEY_LOCAL_MACHINE\System
"GroupFcn"="GROUPPOL.DLL,N
There are several deafult adm files on in the poledit directory. I
The following operations need to be performed on a workstation for policies to be enabled and for group support.
-Control Panel | Add/Remove Programs | Windows Setup | Have Disk | …..\poledit | Group Policies
-Run Poledit, File | Open Registry | Local Computer | Network | Update | Remote Update | Manual
(\\servername\sys\public\m
Add (Deltree /Y C:\WINDOWS\PROFILES) to autoexec.bat
The workstation setup can be automated with a login script or a batch file as follows.
Map ROOT J:=\\Server\POLICY
COPY J:GROUPPOL.DLL C:\WINDOWS
COPY J:GROUPPOL.REG C:\WINDOWS
COPY J:AUTOEXEC.BAT + C:\AUTOEXEC.ADD C:\AUTOEXEC.BAT (autoexec.add has Deltree command)
REGEDIT GROUPPOL.REG
REGEDIT REMPOL.REG
Bonus to block downloads in IE:
HKEY\localuser\software\mi
change the key value of key 1803 from 0 to 1 (zero to one)
On the Win9x machines you will have to use extensible policies and Poledit.exe to create a policy file for these workstations. We accomplished by grouping several templates togther to developa Main.pol file which we put on the sysvol. As they logon any changes made to the main.pol get propogated out to the Win9x computers.
In order to use system policies you must enable user profiles. After user profiles are enabled, many user specific changes made to the workstation (i.e. print capturing, proxy server settings) will only apply to the user who made them. When connected to a network, your user profile will follow you to each workstation that has user profiles enabled. This can cause confusion and make it very difficult to make changes to a workstation once profiles are enabled.
User profiles can be disabled without disabling system policies as follows. Remove all history for all users at the workstation by deleting the C:\WINDOWS\PROFILES subdirectory on the workstation with the autoexec. With a registry edit made via policies the user information is no longer copied to the server. The workstation is then forced to build all “profile” information from the local workstation. This allows you to easily make changes that will affect all future users of that workstation without affecting any other workstations on the network. One downfall is that every time you log in you get the “You haven’t logged in to this …..Would you like to save your …..” prompt every time you login to a workstation.
Implementing policies involves making a policy file with a policy editor. The policy editor requires a template file that basically dictates what registry entries can be modified with policies
Tools: TOOLS\RESKIT\NETADMIN\POLE
You'll need to implememnt;
[HKEY_LOCAL_MACHINE\Networ
"PolicyHandler"="GROUPPOL.
[HKEY_LOCAL_MACHINE\System
"GroupFcn"="GROUPPOL.DLL,N
[HKEY_LOCAL_MACHINE\System
"GroupFcn"="GROUPPOL.DLL,N
There are several deafult adm files on in the poledit directory. I
The following operations need to be performed on a workstation for policies to be enabled and for group support.
-Control Panel | Add/Remove Programs | Windows Setup | Have Disk | …..\poledit | Group Policies
-Run Poledit, File | Open Registry | Local Computer | Network | Update | Remote Update | Manual
(\\servername\sys\public\m
Add (Deltree /Y C:\WINDOWS\PROFILES) to autoexec.bat
The workstation setup can be automated with a login script or a batch file as follows.
Map ROOT J:=\\Server\POLICY
COPY J:GROUPPOL.DLL C:\WINDOWS
COPY J:GROUPPOL.REG C:\WINDOWS
COPY J:AUTOEXEC.BAT + C:\AUTOEXEC.ADD C:\AUTOEXEC.BAT (autoexec.add has Deltree command)
REGEDIT GROUPPOL.REG
REGEDIT REMPOL.REG
Bonus to block downloads in IE:
HKEY\localuser\software\mi
change the key value of key 1803 from 0 to 1 (zero to one)
xmark66:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.