Solved

Suggestion for computer lockdown without affecting the admin login...

Posted on 2003-12-11
7
357 Views
Last Modified: 2013-12-04
Hi, my company wishes to implement computer lockdown to prevent users from installing illegal software and etc. Is there any other ways to implement this apart from

1. modifying the entries in registry to restricts the user and hide
    control panel,

2. downgrade the users to domain user only.

without affecting the administrator rights when it is used to log on to restricted computer.

This is because implement step 1 will cause the restriction to take effect even admin log on is used. In other words, the restriction will apply to all user regarding the type of the user. For admin to install another software will require the reverse changes and reboot the PC quite a few times. This is a time consuming for just to install new applications.

Any suggestions are welcomed. Thanks.
0
Comment
Question by:maclakian
  • 3
7 Comments
 
LVL 6

Expert Comment

by:Joseph_Moore
ID: 9926320
>2. downgrade the users to domain user only
Huh?
IMHO, normal users should NEVER have Administrator-level access. They should ALWAYS be only members of the Domain Users group (and any other custom groups you have). No way should they have Power Users or Adminstrators group membership.
Doing that will only cause you problems, as they will try things they shouldn't, install things that shouldn't, and cause problems that you won't want to ever see.
So, I say do option 2, and they will get used to not having the extra power.
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953300
create a gpo - gpedit.msc specify all the changes that you want.  then edit the security on the gpo and restrict acces to administrator.  

I dont think he is using a domain, becase if he was he can add a snap in gpo, and set different levels of priority, making it possible to have a different gpo for each user/group
0
 
LVL 1

Expert Comment

by:charade-you-are
ID: 9953313
In a work group enviroment i belive it is only possible (im pretty sure) to have 2 different types of accounts regarding gpos - those effected by the gpo and those not effected by the gpo.  ie restricint access/ allowing access - naturaly and admin has access to everyting  - thats why i sugested restricing access - keep in mind restricing access to admin mya have some adverse effectes - ie going and editing the gpo later.
0
 

Author Comment

by:maclakian
ID: 9962923
Yeah, charade-you-are is right. encounter hell lots of problem when implementing the reg lock down... Made my life miserable... But so far as i know, gpedit.msc require DC (domian controller) with W2K & above to run. my company don't have DC that's means no AD coz we use PDC with NT.....

Also, when downgrade domain user with local admin rights to normal local user, W2K will display windows welcome message even the welcome message has been disabled long time ago. This means the os recreates another profile. Check the profiles folder new profile created.

Eg old profile :- user_name
 new profile :- user_name/domain_name.

Any idea why this happen coz when it recreates and use the new profile instead of old profile, it screws up all the local profile setting.. just made my life harder........

Chears...
TQ
0
 
LVL 1

Accepted Solution

by:
charade-you-are earned 125 total points
ID: 9968781
no, you can use gpedit.msc in a stand alone environment.  It is a per machine security measure.  

on a standalone machine (or in a workgroup/domain env.)

you type gpedit.msc in run to edit policy for that machine.

In a domain env.   you can admin all the gpos on the dc by creating a gpo in the "active directory users and computers"
right click on domain, properties / group policy tab

here you can create new gpos / edit gps / specify who uses the gpo

much more flexablity than in a stand alone env. ie you can specify many gpos on the same pc - different uses(im not sure if there is any limit at all / then again ive never been the an admin in a domin of more than 400pcs / 2000 users)(high school)

gpos are read from top to bottom, and a signle user can be effected by more than one gpo if things are not defined

hope i helped - i still think gpedit.msc is the best way to go
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now