group policy question

Hi all,
Not had much experience using group policy and have been asked to do this
on a W2K network.

create a new user with admin rights
restrict this new user from accessing anyother users files
from changing the desktop background
from running any exe file
from deleting printers
from accessing the control panel
hide the C: drive

change firewall settings so users can't download any chat programs
user should also not be able to download games from internet


I editied the default domain policy and can achieve most of what's above, however i notice
it also applies to the domain controller. How can i do this without restricting the domain controller itself, just
the workstations?

The bit about create a new user with admin rights is a bit confusing too! Can i apply group policy settings on a per user basis like this?

Who is Participating?

Improve company productivity with a Business Account.Sign Up

Steve KnightConnect With a Mentor IT ConsultancyCommented:
If they are an admin then one way or another they can override this by running .REG scripts, amending policy locally etc.  If you restrict all EXE's that is going to cause untold issues, the user could also just rename a file from EXE to COM or possible even CMD or SCR et.c and run it too.  You can specify a list of EXEs or other programs they can't run though, this doesn't stop them renaming a file though.

You need to set NTFS permissions on wherever these files are to stop them accessing them, if they are non the same machine you can't if they are an admin as they can take ownership and give themselves rights.

Desktop background, control panel etc. is easy to change in policy but again can be overrideen by an admin

I think you need to make them a normal non-admin for starters.

GPO is based on objects in OU's but you can either put the user in their own OU or create a GPO on an OU with multiple users then change in the security of the GPO which users / groups it applies to (the apply entry in the security).

Don't change the default domain policy as it effects everything by default.  Create a seperate OU for any PC's / Users you want to effect.

Be careful when creating fairly drastic policies like this, especically at the domain level.

Jay_Jay70Connect With a Mentor Commented:
no no no no no! lesson one in GPO... do not touch the default domain policy ever!!!! create a new polivy located on the OU within which the user account resides! right click on the OU - properties - Group Policy - Create New!

there you can put your settings!!

use NTFS permissions to stop him accessing desired folders

to give him admin priviliges - right click my computer on the desired machine - manage - local users and groups - groups - administrators - properties - members - add
Steve KnightIT ConsultancyCommented:
(crossed in the post)
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Kevin HaysIT AnalystCommented:
My only question is if you want to have these settings then why set them as an admin?  

Along with what the other two post suggested, you very rarely touch the default domain policy unless you want a domain wide policy in effect such as password requirements, thresholds, etc.....

You can also set a software restriction policy in a new GPO that is linked to a OU also.  Just move the computer that is going to be applied the policy into that OU and you can set the policy to allow only programs you specify.  You can specifiy programs based on the hash of the .exe or the path.  I usually go the hash method so even if they are clever and rename ore move the exe and folder it still will not run.

As for downloading stuff, your best bet would be to implement a proxy server and create groups with different levels of access, content filtering, downloading and such.

PS:  You can also have it apply to administrators in the software restriction policy as well if you wish.  You will have to do some testing though to make sure all of your required programs run correctly if you go this method,but it is well worth the look into though for that aspect of your question.

For the other questions, i'm right with the other two experts here on what they suggested.

dlloyd37Author Commented:
Thanks all for your help so far on this.....

As i said, i'm not great with GPO's but am becoming more familiar with it.

When i saw the spec saying create a new user with admin rights my immediate thought
was why! Isn't this going to just make the task even harder! To be honest i have to this
task tommorow live on a production system in a college as part of a test. I will ask why
they want the user to have admin rights.....maybe they need local access to their client
workstations in order to run a specific application?

Now, i have been testing it on my test network at home, except this is W2K3.  As far
as i know, no seperate OU's are present in AD.....just the standard ones created at installation.

I can create GPO's only at the domain level and on the domain controller container in AD. I can't create a new GPO
on the computers container or the users container? I have created a new OU on my test network and i can create a
new policy on that. I have also moved the client computers on my test network into this container and will apply the policy
settings here on that OU. Is it ok just to move Client computers from the default computer container to a seperate OU?
As i said i have tested it on my test network without issue, but not sure what will happen on a bigger windows 2000 system?

Can the same apply if i move certain users to a newly created OU and apply a GPO to that OU to restrict users?

Thnx again

Steve KnightIT ConsultancyCommented:
The users and computers containers are default ones that you can't apply policies to as you found you must create OU's.  I generall create site or country top leve OU's and then functions such as Computers, Groups, Department names etc. as needed but it depends upon the specific requiements .

Moving computers and users to different OU's is the whole point of AD -- you can structure then to make it easier to administer and to give out different policies etc so yes you are correct in that.

if you saw the OU structures running in the half the sites i have seen you would fall over yourself :) very very very common practice to segment your AD and apply security
Steve KnightIT ConsultancyCommented:
Always amusing when you go to a relatively massive site with all the computers in computers, users in "built in" or "users" container and all the policies in default domain.... normally been put in by an untrained "consultant" of course :-( but then it provides work to go in and pick up the pieces so I don't complain :-)

lol $$$$ makes it all good, bring it on

dlloyd37Author Commented:
Ok, again thnx for your comments i think i know how i'm gonna approach this now.

Create the user and stick him/her in a new OU and then create a new GPO on that OU.

I use the no overide option?

Blocking this user from changing the background, deleting printers and accessing the control panel seem quite
straightforward, aswell as hiding the C:

Now, they also want me to stop them accessing any chat programs (i can disable MSN easily using the policy) how
do i stop them using any others? I guess i need a list of them first?

They also want me to stop users downloading any games and running .exe files. I have seen where you can specifically stop users from
running certain programs or certain .exe files in the this the best way? I guess i build up a certain list of
apps that should be added to the list and then add them specifically there?



Steve KnightIT ConsultancyCommented:
Pretty well that yes, from experience that can be many hundreds of EXE's listed without problem.

Steve KnightIT ConsultancyCommented:
dlloyd37.  Are you still needing any help on this?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.