Solved

Suggestion for computer lockdown without affecting the admin login...

Posted on 2003-12-11
7
361 Views
Last Modified: 2013-12-04
Hi, my company wishes to implement computer lockdown to prevent users from installing illegal software and etc. Is there any other ways to implement this apart from

1. modifying the entries in registry to restricts the user and hide
    control panel,

2. downgrade the users to domain user only.

without affecting the administrator rights when it is used to log on to restricted computer.

This is because implement step 1 will cause the restriction to take effect even admin log on is used. In other words, the restriction will apply to all user regarding the type of the user. For admin to install another software will require the reverse changes and reboot the PC quite a few times. This is a time consuming for just to install new applications.

Any suggestions are welcomed. Thanks.
0
Comment
Question by:maclakian
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9926320
>2. downgrade the users to domain user only
Huh?
IMHO, normal users should NEVER have Administrator-level access. They should ALWAYS be only members of the Domain Users group (and any other custom groups you have). No way should they have Power Users or Adminstrators group membership.
Doing that will only cause you problems, as they will try things they shouldn't, install things that shouldn't, and cause problems that you won't want to ever see.
So, I say do option 2, and they will get used to not having the extra power.
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953300
create a gpo - gpedit.msc specify all the changes that you want.  then edit the security on the gpo and restrict acces to administrator.  

I dont think he is using a domain, becase if he was he can add a snap in gpo, and set different levels of priority, making it possible to have a different gpo for each user/group
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953313
In a work group enviroment i belive it is only possible (im pretty sure) to have 2 different types of accounts regarding gpos - those effected by the gpo and those not effected by the gpo.  ie restricint access/ allowing access - naturaly and admin has access to everyting  - thats why i sugested restricing access - keep in mind restricing access to admin mya have some adverse effectes - ie going and editing the gpo later.
0
 

Author Comment

by:maclakian
ID: 9962923
Yeah, charade-you-are is right. encounter hell lots of problem when implementing the reg lock down... Made my life miserable... But so far as i know, gpedit.msc require DC (domian controller) with W2K & above to run. my company don't have DC that's means no AD coz we use PDC with NT.....

Also, when downgrade domain user with local admin rights to normal local user, W2K will display windows welcome message even the welcome message has been disabled long time ago. This means the os recreates another profile. Check the profiles folder new profile created.

Eg old profile :- user_name
 new profile :- user_name/domain_name.

Any idea why this happen coz when it recreates and use the new profile instead of old profile, it screws up all the local profile setting.. just made my life harder........

Chears...
TQ
0
 
LVL 1

Accepted Solution

by:
charade-you-are earned 125 total points
ID: 9968781
no, you can use gpedit.msc in a stand alone environment.  It is a per machine security measure.  

on a standalone machine (or in a workgroup/domain env.)

you type gpedit.msc in run to edit policy for that machine.

In a domain env.   you can admin all the gpos on the dc by creating a gpo in the "active directory users and computers"
right click on domain, properties / group policy tab

here you can create new gpos / edit gps / specify who uses the gpo

much more flexablity than in a stand alone env. ie you can specify many gpos on the same pc - different uses(im not sure if there is any limit at all / then again ive never been the an admin in a domin of more than 400pcs / 2000 users)(high school)

gpos are read from top to bottom, and a signle user can be effected by more than one gpo if things are not defined

hope i helped - i still think gpedit.msc is the best way to go
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question