Active Directory - Policy

Posted on 2004-10-24
Medium Priority
Last Modified: 2010-04-14
I would like to establish a policy for a particular OU for security purposes that prevents all members of the OU from the following:

- Installing any applications on local machine
- prevents them from changing there network settings on local machine
- prevents them from changing displays settings on local machine

Basically what i want is only for the users to be able to use there exsiting applications that i i have installed for them.  Is the fact the these users have local admin privileges going to be an issue? Or will the policy prevail once they log onto the domain?

Question by:andreacadia
  • 2
LVL 11

Expert Comment

ID: 12395615
put them per GPO into the users group and it will be fine.
with admin rights its hard to prevent what you want to prevent.

Accepted Solution

brownmetals earned 1500 total points
ID: 12395665
Hi there.

Group policy does normally apply to Administrator accounts, but using this article, you can prevent that from happening.

Allowing each user to have local admin privileges isn't in line with Microsoft Best Practices. In fact, I'd highly suggest against it. User access for client machines is best controlled with permissions. That's the main function of permissions. Again, I would highly suggest putting users in user groups, and then assigning permissions to those groups so that users can perform their respective job functions. If each user is given normal user privileges, you also wouldn't have to setup Group Policy for installing applications and changing network settings. Users would not have these privileges in that instance.

To help solve your issue, this article will help you use Group Policy to hide certain control panel icons

This article is for disabling screen saver passwords. In this same section, you can make changes to other display settings options. For example, you can disable access to the screen saver tab completely. You should also be able to disable access to the settings tab. The display dialog box has several tabs. You can select the Group Policy Object that "hides" that tab from teh end user.

Group Policy is for gaining centralized control over your network. Allowing clients to have local admin privileges provides less control for you as the administrator. As a suggestion, I would revoke local admin privileges from the users, setup normal user accounts for each client, place clients in a logical group, and then assign permission to that group. Using Local User Groups and Group Policy together will give you great control, and make it much easier to administer.

Hope this is helpful.
Good luck!


Expert Comment

ID: 13755823
Thanks for the answering. Hope you were able to solve the issue to meet your needs.


Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A recent study by Google illustrates that almost 84% of patients go for both online and offline sources for hospital research. What do you think, “Is the Healthcare Industry the next to be disrupted by Digital Marketing?”
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question