Solved

Server 2003 Group Policy

Posted on 2004-04-14
11
463 Views
Last Modified: 2010-03-18
Hi!

I'd to know if there is a simple way to create a group policy in AD so that all users logging into workstations on our network would have critical options disabled. Some of those options would include:

Access to the Control Panel
being able to run "cmd" or "command" from Run Window
being able to run "regedit.exe" from Run Window
...and any other functions that could adversley affect the workstation

FYI none of the workstations have specific user accounts set up locally. Users just log in and based on AD and by default inherit the "users" permissions which are restricted.

I'm really new to AD so step-by-step instructions would very much be appreciated.

Thanks!

Clark



0
Comment
Question by:killyman
  • 5
  • 5
11 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 250 total points
ID: 10824402
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the appropriate domain object, and then click Properties.
Click the Group Policy tab to view currently linked group policy objects.
Click the Default Domain Policy GPO link, and then click Edit.

You can lock it down pretty tight. Most options are under Administrative Tools in Computer and USer Configs.
0
 
LVL 4

Expert Comment

by:nyck6623
ID: 10835180
Like diggisaur said, he only left out one good thing get the GPMC
Group policy management console.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Its the best GPO editor and management console to date.
0
 

Author Comment

by:killyman
ID: 10839069
Thanks diggisaur and nyck6623!

We only have one domain so I'm not sure if I really need the GPMC, or do I?

I've got the Group Policy Object Editor open now and I see the following trees:

Computer Configuration
+Software Settings
+Windows Settings
+Administrative Templates

User Configuration
+Software Settings
+Windows Settings
+Administrative Templates

Which "Configuration" should I modify to prevent users from accessing CMD, regedit.exe and msconfig from the Run window? Also how would I prevent users from running programs like Outlook Express and Windows Media Player?

To give you an idea of what I've tried to do so far, I've logged into a few workstations as administrator and have set the permissions on the Outlook Express folder in Program Files to deny rights to it by "users". Although this works and prevents the users from opening up Outlook Express, it doesn't seem like a very efficient or easy way to restrict such access.

As I stated before, I'm still in the very early stages of learning how the security structure of network environments work.

Clark



0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845906
Well

+ User Config
 + Admin Templates
   + Start Menu and Taskbar

Should have "Remove Run Menu From Start Menu"
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845937
Still looking for the other ones for you....
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:killyman
ID: 10847881
Thanks diggisaur!

I configured the option to hide the Run window and it works, but I noticed one problem. When I log in as Administrator, the Run windows is also unavailable. Is there any way to configure this policy so that only the Administrator (when logged in as Administrator of course) has the Run window available?

Clark
0
 

Author Comment

by:killyman
ID: 10848698
Diggisaur,

One more thing.

I've got RealVNC installed and running on all of the clients. I figured out a way to prevent the icon from showing in the systray upon boot up. The problem was that users could open up the administrative panel from the icon and change the log in password.

I had to remove the following value "WinVNC" from the registry below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Is there a way I can remove this value accross the board with the group policy? Maybe this is a log on scripting issue?

Thanks,

Clark

0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10849138
How to keep domain policies from applying to admins and selected users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;315675&Product=win2000
0
 

Author Comment

by:killyman
ID: 10892821
Diggisaur,

Just wondering if there is a way through Group Policy to lock down (prevent users from using) specific programs such as Outlook Express and Outlook. I saw an option to lock down Windows Messenger, but not specific programs.

Right now, I'm logging into workstations as administrator and denying rights to the specific application's *.exe file for the user. This is obviously not the best way to manage up to 50 computers.

Clark
0
 

Author Comment

by:killyman
ID: 10896148
Diggisaur,

Nevermind...

I did a search via google and found the following Microsoft Knowledge Base article which answered my question.
http://support.microsoft.com/?kbid=323525

Clark
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10904869
Ah glad you fixed it but sorry i Couldnt respond...been tech busy all day.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
A short film showing how OnPage and Connectwise integration works.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now