Server 2003 Group Policy

Hi!

I'd to know if there is a simple way to create a group policy in AD so that all users logging into workstations on our network would have critical options disabled. Some of those options would include:

Access to the Control Panel
being able to run "cmd" or "command" from Run Window
being able to run "regedit.exe" from Run Window
...and any other functions that could adversley affect the workstation

FYI none of the workstations have specific user accounts set up locally. Users just log in and based on AD and by default inherit the "users" permissions which are restricted.

I'm really new to AD so step-by-step instructions would very much be appreciated.

Thanks!

Clark



killymanAsked:
Who is Participating?
 
Gareth GudgerConnect With a Mentor Commented:
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the appropriate domain object, and then click Properties.
Click the Group Policy tab to view currently linked group policy objects.
Click the Default Domain Policy GPO link, and then click Edit.

You can lock it down pretty tight. Most options are under Administrative Tools in Computer and USer Configs.
0
 
nyck6623Commented:
Like diggisaur said, he only left out one good thing get the GPMC
Group policy management console.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Its the best GPO editor and management console to date.
0
 
killymanAuthor Commented:
Thanks diggisaur and nyck6623!

We only have one domain so I'm not sure if I really need the GPMC, or do I?

I've got the Group Policy Object Editor open now and I see the following trees:

Computer Configuration
+Software Settings
+Windows Settings
+Administrative Templates

User Configuration
+Software Settings
+Windows Settings
+Administrative Templates

Which "Configuration" should I modify to prevent users from accessing CMD, regedit.exe and msconfig from the Run window? Also how would I prevent users from running programs like Outlook Express and Windows Media Player?

To give you an idea of what I've tried to do so far, I've logged into a few workstations as administrator and have set the permissions on the Outlook Express folder in Program Files to deny rights to it by "users". Although this works and prevents the users from opening up Outlook Express, it doesn't seem like a very efficient or easy way to restrict such access.

As I stated before, I'm still in the very early stages of learning how the security structure of network environments work.

Clark



0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
Gareth GudgerCommented:
Well

+ User Config
 + Admin Templates
   + Start Menu and Taskbar

Should have "Remove Run Menu From Start Menu"
0
 
Gareth GudgerCommented:
Still looking for the other ones for you....
0
 
killymanAuthor Commented:
Thanks diggisaur!

I configured the option to hide the Run window and it works, but I noticed one problem. When I log in as Administrator, the Run windows is also unavailable. Is there any way to configure this policy so that only the Administrator (when logged in as Administrator of course) has the Run window available?

Clark
0
 
killymanAuthor Commented:
Diggisaur,

One more thing.

I've got RealVNC installed and running on all of the clients. I figured out a way to prevent the icon from showing in the systray upon boot up. The problem was that users could open up the administrative panel from the icon and change the log in password.

I had to remove the following value "WinVNC" from the registry below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Is there a way I can remove this value accross the board with the group policy? Maybe this is a log on scripting issue?

Thanks,

Clark

0
 
Gareth GudgerCommented:
How to keep domain policies from applying to admins and selected users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;315675&Product=win2000
0
 
killymanAuthor Commented:
Diggisaur,

Just wondering if there is a way through Group Policy to lock down (prevent users from using) specific programs such as Outlook Express and Outlook. I saw an option to lock down Windows Messenger, but not specific programs.

Right now, I'm logging into workstations as administrator and denying rights to the specific application's *.exe file for the user. This is obviously not the best way to manage up to 50 computers.

Clark
0
 
killymanAuthor Commented:
Diggisaur,

Nevermind...

I did a search via google and found the following Microsoft Knowledge Base article which answered my question.
http://support.microsoft.com/?kbid=323525

Clark
0
 
Gareth GudgerCommented:
Ah glad you fixed it but sorry i Couldnt respond...been tech busy all day.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.