Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Server 2003 Group Policy

Posted on 2004-04-14
11
Medium Priority
?
476 Views
Last Modified: 2010-03-18
Hi!

I'd to know if there is a simple way to create a group policy in AD so that all users logging into workstations on our network would have critical options disabled. Some of those options would include:

Access to the Control Panel
being able to run "cmd" or "command" from Run Window
being able to run "regedit.exe" from Run Window
...and any other functions that could adversley affect the workstation

FYI none of the workstations have specific user accounts set up locally. Users just log in and based on AD and by default inherit the "users" permissions which are restricted.

I'm really new to AD so step-by-step instructions would very much be appreciated.

Thanks!

Clark



0
Comment
Question by:killyman
  • 5
  • 5
11 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 1000 total points
ID: 10824402
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the appropriate domain object, and then click Properties.
Click the Group Policy tab to view currently linked group policy objects.
Click the Default Domain Policy GPO link, and then click Edit.

You can lock it down pretty tight. Most options are under Administrative Tools in Computer and USer Configs.
0
 
LVL 4

Expert Comment

by:nyck6623
ID: 10835180
Like diggisaur said, he only left out one good thing get the GPMC
Group policy management console.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Its the best GPO editor and management console to date.
0
 

Author Comment

by:killyman
ID: 10839069
Thanks diggisaur and nyck6623!

We only have one domain so I'm not sure if I really need the GPMC, or do I?

I've got the Group Policy Object Editor open now and I see the following trees:

Computer Configuration
+Software Settings
+Windows Settings
+Administrative Templates

User Configuration
+Software Settings
+Windows Settings
+Administrative Templates

Which "Configuration" should I modify to prevent users from accessing CMD, regedit.exe and msconfig from the Run window? Also how would I prevent users from running programs like Outlook Express and Windows Media Player?

To give you an idea of what I've tried to do so far, I've logged into a few workstations as administrator and have set the permissions on the Outlook Express folder in Program Files to deny rights to it by "users". Although this works and prevents the users from opening up Outlook Express, it doesn't seem like a very efficient or easy way to restrict such access.

As I stated before, I'm still in the very early stages of learning how the security structure of network environments work.

Clark



0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845906
Well

+ User Config
 + Admin Templates
   + Start Menu and Taskbar

Should have "Remove Run Menu From Start Menu"
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845937
Still looking for the other ones for you....
0
 

Author Comment

by:killyman
ID: 10847881
Thanks diggisaur!

I configured the option to hide the Run window and it works, but I noticed one problem. When I log in as Administrator, the Run windows is also unavailable. Is there any way to configure this policy so that only the Administrator (when logged in as Administrator of course) has the Run window available?

Clark
0
 

Author Comment

by:killyman
ID: 10848698
Diggisaur,

One more thing.

I've got RealVNC installed and running on all of the clients. I figured out a way to prevent the icon from showing in the systray upon boot up. The problem was that users could open up the administrative panel from the icon and change the log in password.

I had to remove the following value "WinVNC" from the registry below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Is there a way I can remove this value accross the board with the group policy? Maybe this is a log on scripting issue?

Thanks,

Clark

0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10849138
How to keep domain policies from applying to admins and selected users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;315675&Product=win2000
0
 

Author Comment

by:killyman
ID: 10892821
Diggisaur,

Just wondering if there is a way through Group Policy to lock down (prevent users from using) specific programs such as Outlook Express and Outlook. I saw an option to lock down Windows Messenger, but not specific programs.

Right now, I'm logging into workstations as administrator and denying rights to the specific application's *.exe file for the user. This is obviously not the best way to manage up to 50 computers.

Clark
0
 

Author Comment

by:killyman
ID: 10896148
Diggisaur,

Nevermind...

I did a search via google and found the following Microsoft Knowledge Base article which answered my question.
http://support.microsoft.com/?kbid=323525

Clark
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10904869
Ah glad you fixed it but sorry i Couldnt respond...been tech busy all day.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question