Solved

Server 2003 Group Policy

Posted on 2004-04-14
11
466 Views
Last Modified: 2010-03-18
Hi!

I'd to know if there is a simple way to create a group policy in AD so that all users logging into workstations on our network would have critical options disabled. Some of those options would include:

Access to the Control Panel
being able to run "cmd" or "command" from Run Window
being able to run "regedit.exe" from Run Window
...and any other functions that could adversley affect the workstation

FYI none of the workstations have specific user accounts set up locally. Users just log in and based on AD and by default inherit the "users" permissions which are restricted.

I'm really new to AD so step-by-step instructions would very much be appreciated.

Thanks!

Clark



0
Comment
Question by:killyman
  • 5
  • 5
11 Comments
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 250 total points
ID: 10824402
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the appropriate domain object, and then click Properties.
Click the Group Policy tab to view currently linked group policy objects.
Click the Default Domain Policy GPO link, and then click Edit.

You can lock it down pretty tight. Most options are under Administrative Tools in Computer and USer Configs.
0
 
LVL 4

Expert Comment

by:nyck6623
ID: 10835180
Like diggisaur said, he only left out one good thing get the GPMC
Group policy management console.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx

Its the best GPO editor and management console to date.
0
 

Author Comment

by:killyman
ID: 10839069
Thanks diggisaur and nyck6623!

We only have one domain so I'm not sure if I really need the GPMC, or do I?

I've got the Group Policy Object Editor open now and I see the following trees:

Computer Configuration
+Software Settings
+Windows Settings
+Administrative Templates

User Configuration
+Software Settings
+Windows Settings
+Administrative Templates

Which "Configuration" should I modify to prevent users from accessing CMD, regedit.exe and msconfig from the Run window? Also how would I prevent users from running programs like Outlook Express and Windows Media Player?

To give you an idea of what I've tried to do so far, I've logged into a few workstations as administrator and have set the permissions on the Outlook Express folder in Program Files to deny rights to it by "users". Although this works and prevents the users from opening up Outlook Express, it doesn't seem like a very efficient or easy way to restrict such access.

As I stated before, I'm still in the very early stages of learning how the security structure of network environments work.

Clark



0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845906
Well

+ User Config
 + Admin Templates
   + Start Menu and Taskbar

Should have "Remove Run Menu From Start Menu"
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10845937
Still looking for the other ones for you....
0
 

Author Comment

by:killyman
ID: 10847881
Thanks diggisaur!

I configured the option to hide the Run window and it works, but I noticed one problem. When I log in as Administrator, the Run windows is also unavailable. Is there any way to configure this policy so that only the Administrator (when logged in as Administrator of course) has the Run window available?

Clark
0
 

Author Comment

by:killyman
ID: 10848698
Diggisaur,

One more thing.

I've got RealVNC installed and running on all of the clients. I figured out a way to prevent the icon from showing in the systray upon boot up. The problem was that users could open up the administrative panel from the icon and change the log in password.

I had to remove the following value "WinVNC" from the registry below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Is there a way I can remove this value accross the board with the group policy? Maybe this is a log on scripting issue?

Thanks,

Clark

0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10849138
How to keep domain policies from applying to admins and selected users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;315675&Product=win2000
0
 

Author Comment

by:killyman
ID: 10892821
Diggisaur,

Just wondering if there is a way through Group Policy to lock down (prevent users from using) specific programs such as Outlook Express and Outlook. I saw an option to lock down Windows Messenger, but not specific programs.

Right now, I'm logging into workstations as administrator and denying rights to the specific application's *.exe file for the user. This is obviously not the best way to manage up to 50 computers.

Clark
0
 

Author Comment

by:killyman
ID: 10896148
Diggisaur,

Nevermind...

I did a search via google and found the following Microsoft Knowledge Base article which answered my question.
http://support.microsoft.com/?kbid=323525

Clark
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 10904869
Ah glad you fixed it but sorry i Couldnt respond...been tech busy all day.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP setup on Windows Server 2012 11 159
DirectAccess - Open ports 2 54
Independent domain networks for setup 6 117
Mac OS client and windows client file sharing issue 2 84
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
An article on effective troubleshooting
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question