Solved

Suggestion for computer lockdown without affecting the admin login...

Posted on 2003-12-11
7
364 Views
Last Modified: 2013-12-04
Hi, my company wishes to implement computer lockdown to prevent users from installing illegal software and etc. Is there any other ways to implement this apart from

1. modifying the entries in registry to restricts the user and hide
    control panel,

2. downgrade the users to domain user only.

without affecting the administrator rights when it is used to log on to restricted computer.

This is because implement step 1 will cause the restriction to take effect even admin log on is used. In other words, the restriction will apply to all user regarding the type of the user. For admin to install another software will require the reverse changes and reboot the PC quite a few times. This is a time consuming for just to install new applications.

Any suggestions are welcomed. Thanks.
0
Comment
Question by:maclakian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9926320
>2. downgrade the users to domain user only
Huh?
IMHO, normal users should NEVER have Administrator-level access. They should ALWAYS be only members of the Domain Users group (and any other custom groups you have). No way should they have Power Users or Adminstrators group membership.
Doing that will only cause you problems, as they will try things they shouldn't, install things that shouldn't, and cause problems that you won't want to ever see.
So, I say do option 2, and they will get used to not having the extra power.
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953300
create a gpo - gpedit.msc specify all the changes that you want.  then edit the security on the gpo and restrict acces to administrator.  

I dont think he is using a domain, becase if he was he can add a snap in gpo, and set different levels of priority, making it possible to have a different gpo for each user/group
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953313
In a work group enviroment i belive it is only possible (im pretty sure) to have 2 different types of accounts regarding gpos - those effected by the gpo and those not effected by the gpo.  ie restricint access/ allowing access - naturaly and admin has access to everyting  - thats why i sugested restricing access - keep in mind restricing access to admin mya have some adverse effectes - ie going and editing the gpo later.
0
 

Author Comment

by:maclakian
ID: 9962923
Yeah, charade-you-are is right. encounter hell lots of problem when implementing the reg lock down... Made my life miserable... But so far as i know, gpedit.msc require DC (domian controller) with W2K & above to run. my company don't have DC that's means no AD coz we use PDC with NT.....

Also, when downgrade domain user with local admin rights to normal local user, W2K will display windows welcome message even the welcome message has been disabled long time ago. This means the os recreates another profile. Check the profiles folder new profile created.

Eg old profile :- user_name
 new profile :- user_name/domain_name.

Any idea why this happen coz when it recreates and use the new profile instead of old profile, it screws up all the local profile setting.. just made my life harder........

Chears...
TQ
0
 
LVL 1

Accepted Solution

by:
charade-you-are earned 125 total points
ID: 9968781
no, you can use gpedit.msc in a stand alone environment.  It is a per machine security measure.  

on a standalone machine (or in a workgroup/domain env.)

you type gpedit.msc in run to edit policy for that machine.

In a domain env.   you can admin all the gpos on the dc by creating a gpo in the "active directory users and computers"
right click on domain, properties / group policy tab

here you can create new gpos / edit gps / specify who uses the gpo

much more flexablity than in a stand alone env. ie you can specify many gpos on the same pc - different uses(im not sure if there is any limit at all / then again ive never been the an admin in a domin of more than 400pcs / 2000 users)(high school)

gpos are read from top to bottom, and a signle user can be effected by more than one gpo if things are not defined

hope i helped - i still think gpedit.msc is the best way to go
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question