bpyeo
asked on
Policy Configuration Problem
Hi Experts, I need to perform the following as it is my company policies to set the following requirements at W2K3 server:
a. I want to be able to log all the login and logout to a file (say c:\log\logging.log)
b. I want to disable cmd and regedit utilities to any users except the administrator
c. I want the authenicated users to be only run Notepad and Internet explorer, and not any other applications installed in the client machines (Windows XP). These client machines are joined to the domain.
Please advice me on how these tasks could be carried out.
TIA.
a. I want to be able to log all the login and logout to a file (say c:\log\logging.log)
b. I want to disable cmd and regedit utilities to any users except the administrator
c. I want the authenicated users to be only run Notepad and Internet explorer, and not any other applications installed in the client machines (Windows XP). These client machines are joined to the domain.
Please advice me on how these tasks could be carried out.
TIA.
You have to create at least two OU's. One for Users and one for Admins. On the User OU you have to configure a Group Policy that restrict the user on what you have decided. To get loging of all login and logout you can enable auditing for login and logout in the domain policy for example since that will cover all activities in the domain.
ASKER
Hi joedoe58, I have in fact created 3 OUs, one for administrator, one for management and one for staff. I have also configure a GPO on management and staff OU. However I could not find a way of having the login and logout activities to be logged to an external file. The logging is done in the event viewer, right?
I have tried to disable run command, control panel and so on. But when the users access their My Document window, they can then goto c:\windows\system32\cmd to activate the command prompt, and then they can key in regedit to open up the registry for viewing. Also the users could run applications like WordPad and calculator, which I do not want them to run.
Please advice.
TIA.
I have tried to disable run command, control panel and so on. But when the users access their My Document window, they can then goto c:\windows\system32\cmd to activate the command prompt, and then they can key in regedit to open up the registry for viewing. Also the users could run applications like WordPad and calculator, which I do not want them to run.
Please advice.
TIA.
Yes the logging will be done in the event viewer - security.
It is usually difficult to stop users starting programs on ther machines since there are so many ways you can start a program. There is a way to configure what programs should be allowed, but that requires a lot of admin overhead since you have to add to this list every time there is a new program added. It is distributied via GPO though. The setting should be in User configuration - Admin. I do not have access to a server at the moment but it should not be difficult to find the setting where you specify the program names that is allowed to run.
You also have a setting where you specifically prevent a user to be able to access regedit.
It is usually difficult to stop users starting programs on ther machines since there are so many ways you can start a program. There is a way to configure what programs should be allowed, but that requires a lot of admin overhead since you have to add to this list every time there is a new program added. It is distributied via GPO though. The setting should be in User configuration - Admin. I do not have access to a server at the moment but it should not be difficult to find the setting where you specify the program names that is allowed to run.
You also have a setting where you specifically prevent a user to be able to access regedit.
ASKER
Hi joedoe58, can the logging be directed to an external file instead of logging to the event viewer.
I have tried looking at the GPO almost every setting and could not find a way of disabling the cmd and regedit utility (these utilities have read execute access rights for the authenicated users). As for the requirement of allowing authenicated users to be only run Notepad and Internet explorer, other common Windows utilities (eg WordPad, calculator) are found in the same folder. Therefore enabling Notepad and Internet Explorer might also allow the users to run other common Windows utilities which I do not want.
Can these be done? I really need your advice and if possible, provide me with the specific location in GPO that I can set to realize these requirements.
TIA.
I have tried looking at the GPO almost every setting and could not find a way of disabling the cmd and regedit utility (these utilities have read execute access rights for the authenicated users). As for the requirement of allowing authenicated users to be only run Notepad and Internet explorer, other common Windows utilities (eg WordPad, calculator) are found in the same folder. Therefore enabling Notepad and Internet Explorer might also allow the users to run other common Windows utilities which I do not want.
Can these be done? I really need your advice and if possible, provide me with the specific location in GPO that I can set to realize these requirements.
TIA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.