• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 202
  • Last Modified:

Policy Configuration Problem

Hi Experts, I need to perform the following as it is my company policies to set the following requirements at W2K3 server:
   a. I want to be able to log all the login and logout to a file (say c:\log\logging.log)
   b. I want to disable cmd and regedit utilities to any users except the administrator
   c. I want the authenicated users to be only run Notepad and Internet explorer, and not any other applications installed in the client machines (Windows XP). These client machines are joined to the domain.

Please advice me on how these tasks could be carried out.

TIA.
0
bpyeo
Asked:
bpyeo
  • 3
  • 2
1 Solution
 
joedoe58Commented:
You have to create at least two OU's. One for Users and one for Admins. On the User OU you have to configure a Group Policy that restrict the user on what you have decided. To get loging of all login and logout you can enable auditing for login and logout in the domain policy for example since that will cover all activities in the domain.
0
 
bpyeoAuthor Commented:
Hi joedoe58, I have in fact created 3 OUs, one for administrator, one for management and one for staff. I have also configure a GPO on management and staff OU. However I could not find a way of having the login and logout activities to be logged to an external file. The logging is done in the event viewer, right?

I have tried to disable run command, control panel and so on. But when the users access their My Document window, they can then goto c:\windows\system32\cmd to activate the command prompt, and then they can key in regedit to open up the registry for viewing. Also the users could run applications like WordPad and calculator, which I do not want them to run.

Please advice.

TIA.
0
 
joedoe58Commented:
Yes the logging will be done in the event viewer - security.
It is usually difficult to stop users starting programs on ther machines since there are so many ways you can start a program. There is a way to configure what programs should be allowed, but that requires a lot of admin overhead since you have to add to this list every time there is a new program added. It is distributied via GPO though. The setting should be in User configuration - Admin. I do not have access to a server at the moment but it should not be difficult to find the setting where you specify the program names that is allowed to run.

You also have a setting where you specifically prevent a user to be able to access regedit.
0
 
bpyeoAuthor Commented:
Hi joedoe58, can the logging be directed to an external file instead of logging to the event viewer.

I have tried looking at the GPO almost every setting and could not find a way of disabling the cmd and regedit utility (these utilities have read execute access rights for the authenicated users). As for the requirement of allowing authenicated users to be only run Notepad and Internet explorer, other common Windows utilities (eg WordPad, calculator) are found in the same folder. Therefore enabling Notepad and Internet Explorer might also allow the users to run other common Windows utilities which I do not want.

Can these be done? I really need your advice and if possible, provide me with the specific location in GPO that I can set to realize these requirements.

TIA.
0
 
joedoe58Commented:
If you want to restrict what programs a user can start you find settings in User Settings - Administrative Templates - System - Run only allowed Windows applications.

In the same location you can restrict use of command prompt and access to registry editor.

I cant think of a way to redirect logging to another file at the moment
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now