Solved

Server 2003 Group Policy

Posted on 2004-04-14
11
469 Views
Last Modified: 2010-03-18
Hi!

I'd to know if there is a simple way to create a group policy in AD so that all users logging into workstations on our network would have critical options disabled. Some of those options would include:

Access to the Control Panel
being able to run "cmd" or "command" from Run Window
being able to run "regedit.exe" from Run Window
...and any other functions that could adversley affect the workstation

FYI none of the workstations have specific user accounts set up locally. Users just log in and based on AD and by default inherit the "users" permissions which are restricted.

I'm really new to AD so step-by-step instructions would very much be appreciated.

Thanks!

Clark



0
Comment
Question by:killyman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 250 total points
ID: 10824402
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the appropriate domain object, and then click Properties.
Click the Group Policy tab to view currently linked group policy objects.
Click the Default Domain Policy GPO link, and then click Edit.

You can lock it down pretty tight. Most options are under Administrative Tools in Computer and USer Configs.
0
 
LVL 4

Expert Comment

by:nyck6623
ID: 10835180
Like diggisaur said, he only left out one good thing get the GPMC
Group policy management console.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Its the best GPO editor and management console to date.
0
 

Author Comment

by:killyman
ID: 10839069
Thanks diggisaur and nyck6623!

We only have one domain so I'm not sure if I really need the GPMC, or do I?

I've got the Group Policy Object Editor open now and I see the following trees:

Computer Configuration
+Software Settings
+Windows Settings
+Administrative Templates

User Configuration
+Software Settings
+Windows Settings
+Administrative Templates

Which "Configuration" should I modify to prevent users from accessing CMD, regedit.exe and msconfig from the Run window? Also how would I prevent users from running programs like Outlook Express and Windows Media Player?

To give you an idea of what I've tried to do so far, I've logged into a few workstations as administrator and have set the permissions on the Outlook Express folder in Program Files to deny rights to it by "users". Although this works and prevents the users from opening up Outlook Express, it doesn't seem like a very efficient or easy way to restrict such access.

As I stated before, I'm still in the very early stages of learning how the security structure of network environments work.

Clark



0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845906
Well

+ User Config
 + Admin Templates
   + Start Menu and Taskbar

Should have "Remove Run Menu From Start Menu"
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845937
Still looking for the other ones for you....
0
 

Author Comment

by:killyman
ID: 10847881
Thanks diggisaur!

I configured the option to hide the Run window and it works, but I noticed one problem. When I log in as Administrator, the Run windows is also unavailable. Is there any way to configure this policy so that only the Administrator (when logged in as Administrator of course) has the Run window available?

Clark
0
 

Author Comment

by:killyman
ID: 10848698
Diggisaur,

One more thing.

I've got RealVNC installed and running on all of the clients. I figured out a way to prevent the icon from showing in the systray upon boot up. The problem was that users could open up the administrative panel from the icon and change the log in password.

I had to remove the following value "WinVNC" from the registry below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Is there a way I can remove this value accross the board with the group policy? Maybe this is a log on scripting issue?

Thanks,

Clark

0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10849138
How to keep domain policies from applying to admins and selected users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;315675&Product=win2000
0
 

Author Comment

by:killyman
ID: 10892821
Diggisaur,

Just wondering if there is a way through Group Policy to lock down (prevent users from using) specific programs such as Outlook Express and Outlook. I saw an option to lock down Windows Messenger, but not specific programs.

Right now, I'm logging into workstations as administrator and denying rights to the specific application's *.exe file for the user. This is obviously not the best way to manage up to 50 computers.

Clark
0
 

Author Comment

by:killyman
ID: 10896148
Diggisaur,

Nevermind...

I did a search via google and found the following Microsoft Knowledge Base article which answered my question.
http://support.microsoft.com/?kbid=323525

Clark
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10904869
Ah glad you fixed it but sorry i Couldnt respond...been tech busy all day.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question