• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 290
  • Last Modified:

Restricting Users running Windows XP on a 2003 SBS Domain

Hi, trying to disable users only, not administrator (ME), from accessing certain control panel features like netwokr connection and system, and also disabling them only from running certain programs.   I have a domain running Windows 2003 Small Business Server.  I have no clue how to set up a Group Policy or an OU.  Now, lets say we do get the users from not accessing certain control panel and certain softwares, if i log on with my username and password on their computer, i want to be able to have full access to everything?  Is there something that has to be setup on the Server?  I was able to do the logon Message, now to give it a final touch this is all i need.

If anyone can help, it will be highly appreciated.

Thanks!
0
dieseldom
Asked:
dieseldom
  • 10
  • 8
1 Solution
 
gpriceeeCommented:
Ensure your user account is not in the same OU as the users you wish to restrict.

On the OU with the users you wish to restrict, right click --> properties --> Group Policy Tab.
Under User Configuration --> Administrative Templates --> Control Panel
Change your settings there.

When you logon as a user not in that OU, the policy will not apply to you.
0
 
dieseldomAuthor Commented:
How do i get to the OU?
0
 
gpriceeeCommented:
Start --> All Programs --> Administrative Tools --> Active Directory Users and Computers.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
dieseldomAuthor Commented:
let me give it a shot...hold on
0
 
dieseldomAuthor Commented:
ok, i'm sorry what is the OU..i'm in the Active Directory Users and Computers...is it something I have to create.  and how do i keep my self out of this restriction.  Sorry to be a pain, but new to this Windows 2003....I was comfortable with NT.

Thanks for the help!
0
 
gpriceeeCommented:
That's okay.  We're all working on the same stuff.

The "folders" under your domain name are objects and Organizational Units.
The objects simply look like folders--your users are probably there.
The OUs have some funky book looking thing on the folder icon.
If you have a small network, your OU design can be easy, but you need to be careful: the goal is no more than three layers deep.

So, what would I do here?
I would raise the functional level of the domain to 2003: http://support.microsoft.com/kb/322692

Then, I would right click the domain, new --> Organizational Unit.
Then, I would name it something like SecuredUsers.
Then I would redirect all users and new users to the OU:
from the cmd prompt:
c:\windows\system32\redirusr ou=SecuredUsers,DC=domainname,dc=com (replace the domainname an com with the appropriate information)


This will allow your policies to be applied to ALL newly created users.

Make sure your account is located in a different OU.

0
 
dieseldomAuthor Commented:
The OU  is not listed there.  Where else would it be?
0
 
gpriceeeCommented:
Users is an object by default, not an OU.
What you're doing is CREATING the SecuredUsers OU, amking it the defauklt OU for new users, and applying your group policy to it.
0
 
dieseldomAuthor Commented:
ok the users are located under the My Business\Users\SBUsers in the Active Directory Users and Computers.

If i right click on a user and go to property, there is no Group Policy Tab.
0
 
dieseldomAuthor Commented:
but if i right click on the SBUsers folder and go to policy, I see the group policy tab but its telling me that I have to open the Group Policy Management.  Is there a way to disable that?
0
 
gpriceeeCommented:
Exactly--the folder should look just like a folder; it's an object, not an OU.
You need to create the new SecureUsers OU.
0
 
gpriceeeCommented:
Good!
I didn't want to complicate things by having you install the Group POlicy Management mmc.
Hold on. . . .
0
 
dieseldomAuthor Commented:
ok
0
 
gpriceeeCommented:
Great!  You don't need to create the SecureUsers group; just ensure you no longer are in the SBSUsers group.
Then, open Group Policy Management  and then right click on the SBSUsers group --> Create and Link a GPO here
Then, as stated before, under User Configuration --> Administrative Templates --> Control Panel
Change your settings there.

When you logon as a user not in that OU, the policy will not apply to you.
0
 
dieseldomAuthor Commented:
I'm going to give it a shot

Hold on...
0
 
dieseldomAuthor Commented:
I believe this worked well..I'm going to try it again at home seeing that I have a domain at home my self with couple of computers and users between kids and other members.  Once done, I'll close this with your points.. It looks liek you have been a great help!!

Thanks alot!!
0
 
gpriceeeCommented:
One more thing . . . oaky, two.
If you want the policy to take effect immediately on a machine, from the command prompt on the machine, enter the following command:
gpupdate /force

If you want to see the overall results of what group policies are applied, after the machine boots, at the cmd prompt enter:
gpresult

It will take a while to return.   Spend some time, and you''l see just how what you've done is applied to the user/machine.
0
 
dieseldomAuthor Commented:
great.  everything work!!  Thanks alot for the help!!  Here are ur pts!!

Thanks again!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now