Suggestion for computer lockdown without affecting the admin login...

Hi, my company wishes to implement computer lockdown to prevent users from installing illegal software and etc. Is there any other ways to implement this apart from

1. modifying the entries in registry to restricts the user and hide
    control panel,

2. downgrade the users to domain user only.

without affecting the administrator rights when it is used to log on to restricted computer.

This is because implement step 1 will cause the restriction to take effect even admin log on is used. In other words, the restriction will apply to all user regarding the type of the user. For admin to install another software will require the reverse changes and reboot the PC quite a few times. This is a time consuming for just to install new applications.

Any suggestions are welcomed. Thanks.
maclakianAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph_MooreCommented:
>2. downgrade the users to domain user only
Huh?
IMHO, normal users should NEVER have Administrator-level access. They should ALWAYS be only members of the Domain Users group (and any other custom groups you have). No way should they have Power Users or Adminstrators group membership.
Doing that will only cause you problems, as they will try things they shouldn't, install things that shouldn't, and cause problems that you won't want to ever see.
So, I say do option 2, and they will get used to not having the extra power.
0
charade-you-areCommented:
create a gpo - gpedit.msc specify all the changes that you want.  then edit the security on the gpo and restrict acces to administrator.  

I dont think he is using a domain, becase if he was he can add a snap in gpo, and set different levels of priority, making it possible to have a different gpo for each user/group
0
charade-you-areCommented:
In a work group enviroment i belive it is only possible (im pretty sure) to have 2 different types of accounts regarding gpos - those effected by the gpo and those not effected by the gpo.  ie restricint access/ allowing access - naturaly and admin has access to everyting  - thats why i sugested restricing access - keep in mind restricing access to admin mya have some adverse effectes - ie going and editing the gpo later.
0
maclakianAuthor Commented:
Yeah, charade-you-are is right. encounter hell lots of problem when implementing the reg lock down... Made my life miserable... But so far as i know, gpedit.msc require DC (domian controller) with W2K & above to run. my company don't have DC that's means no AD coz we use PDC with NT.....

Also, when downgrade domain user with local admin rights to normal local user, W2K will display windows welcome message even the welcome message has been disabled long time ago. This means the os recreates another profile. Check the profiles folder new profile created.

Eg old profile :- user_name
 new profile :- user_name/domain_name.

Any idea why this happen coz when it recreates and use the new profile instead of old profile, it screws up all the local profile setting.. just made my life harder........

Chears...
TQ
0
charade-you-areCommented:
no, you can use gpedit.msc in a stand alone environment.  It is a per machine security measure.  

on a standalone machine (or in a workgroup/domain env.)

you type gpedit.msc in run to edit policy for that machine.

In a domain env.   you can admin all the gpos on the dc by creating a gpo in the "active directory users and computers"
right click on domain, properties / group policy tab

here you can create new gpos / edit gps / specify who uses the gpo

much more flexablity than in a stand alone env. ie you can specify many gpos on the same pc - different uses(im not sure if there is any limit at all / then again ive never been the an admin in a domin of more than 400pcs / 2000 users)(high school)

gpos are read from top to bottom, and a signle user can be effected by more than one gpo if things are not defined

hope i helped - i still think gpedit.msc is the best way to go
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.