Solved

group policy question

Posted on 2006-06-22
12
222 Views
Last Modified: 2010-04-13
Hi all,
Not had much experience using group policy and have been asked to do this
on a W2K network.

create a new user with admin rights
restrict this new user from accessing anyother users files
from changing the desktop background
from running any exe file
from deleting printers
from accessing the control panel
hide the C: drive

change firewall settings so users can't download any chat programs
user should also not be able to download games from internet

Ok:

I editied the default domain policy and can achieve most of what's above, however i notice
it also applies to the domain controller. How can i do this without restricting the domain controller itself, just
the workstations?

The bit about create a new user with admin rights is a bit confusing too! Can i apply group policy settings on a per user basis like this?

thnx
0
Comment
Question by:dlloyd37
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 250 total points
ID: 16958178
no no no no no! lesson one in GPO... do not touch the default domain policy ever!!!! create a new polivy located on the OU within which the user account resides! right click on the OU - properties - Group Policy - Create New!

there you can put your settings!!

use NTFS permissions to stop him accessing desired folders

to give him admin priviliges - right click my computer on the desired machine - manage - local users and groups - groups - administrators - properties - members - add
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 250 total points
ID: 16958227
If they are an admin then one way or another they can override this by running .REG scripts, amending policy locally etc.  If you restrict all EXE's that is going to cause untold issues, the user could also just rename a file from EXE to COM or possible even CMD or SCR et.c and run it too.  You can specify a list of EXEs or other programs they can't run though, this doesn't stop them renaming a file though.

You need to set NTFS permissions on wherever these files are to stop them accessing them, if they are non the same machine you can't if they are an admin as they can take ownership and give themselves rights.

Desktop background, control panel etc. is easy to change in policy but again can be overrideen by an admin

I think you need to make them a normal non-admin for starters.

GPO is based on objects in OU's but you can either put the user in their own OU or create a GPO on an OU with multiple users then change in the security of the GPO which users / groups it applies to (the apply entry in the security).

Don't change the default domain policy as it effects everything by default.  Create a seperate OU for any PC's / Users you want to effect.

Be careful when creating fairly drastic policies like this, especically at the domain level.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16958234
(crossed in the post)
0
 
LVL 16

Expert Comment

by:kshays
ID: 16959125
My only question is if you want to have these settings then why set them as an admin?  

Along with what the other two post suggested, you very rarely touch the default domain policy unless you want a domain wide policy in effect such as password requirements, thresholds, etc.....

You can also set a software restriction policy in a new GPO that is linked to a OU also.  Just move the computer that is going to be applied the policy into that OU and you can set the policy to allow only programs you specify.  You can specifiy programs based on the hash of the .exe or the path.  I usually go the hash method so even if they are clever and rename ore move the exe and folder it still will not run.

As for downloading stuff, your best bet would be to implement a proxy server and create groups with different levels of access, content filtering, downloading and such.

PS:  You can also have it apply to administrators in the software restriction policy as well if you wish.  You will have to do some testing though to make sure all of your required programs run correctly if you go this method,but it is well worth the look into though for that aspect of your question.

For the other questions, i'm right with the other two experts here on what they suggested.

kshays
0
 

Author Comment

by:dlloyd37
ID: 16961731
Thanks all for your help so far on this.....

As i said, i'm not great with GPO's but am becoming more familiar with it.

When i saw the spec saying create a new user with admin rights my immediate thought
was why! Isn't this going to just make the task even harder! To be honest i have to this
task tommorow live on a production system in a college as part of a test. I will ask why
they want the user to have admin rights.....maybe they need local access to their client
workstations in order to run a specific application?

Now, i have been testing it on my test network at home, except this is W2K3.  As far
as i know, no seperate OU's are present in AD.....just the standard ones created at installation.

I can create GPO's only at the domain level and on the domain controller container in AD. I can't create a new GPO
on the computers container or the users container? I have created a new OU on my test network and i can create a
new policy on that. I have also moved the client computers on my test network into this container and will apply the policy
settings here on that OU. Is it ok just to move Client computers from the default computer container to a seperate OU?
As i said i have tested it on my test network without issue, but not sure what will happen on a bigger windows 2000 system?

Can the same apply if i move certain users to a newly created OU and apply a GPO to that OU to restrict users?

Thnx again

David
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16963044
The users and computers containers are default ones that you can't apply policies to as you found you must create OU's.  I generall create site or country top leve OU's and then functions such as Computers, Groups, Department names etc. as needed but it depends upon the specific requiements .

Moving computers and users to different OU's is the whole point of AD -- you can structure then to make it easier to administer and to give out different policies etc so yes you are correct in that.

Steve
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16964709
if you saw the OU structures running in the half the sites i have seen you would fall over yourself :) very very very common practice to segment your AD and apply security
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16964774
Always amusing when you go to a relatively massive site with all the computers in computers, users in "built in" or "users" container and all the policies in default domain.... normally been put in by an untrained "consultant" of course :-( but then it provides work to go in and pick up the pieces so I don't complain :-)

Steve
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16964795
lol $$$$ makes it all good, bring it on

Jay
0
 

Author Comment

by:dlloyd37
ID: 16967617
Ok, again thnx for your comments i think i know how i'm gonna approach this now.

Create the user and stick him/her in a new OU and then create a new GPO on that OU.

I use the no overide option?

Blocking this user from changing the background, deleting printers and accessing the control panel seem quite
straightforward, aswell as hiding the C:

Now, they also want me to stop them accessing any chat programs (i can disable MSN easily using the policy) how
do i stop them using any others? I guess i need a list of them first?

They also want me to stop users downloading any games and running .exe files. I have seen where you can specifically stop users from
running certain programs or certain .exe files in the GPO....is this the best way? I guess i build up a certain list of
apps that should be added to the list and then add them specifically there?

Thnx

David

0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 16967629
Pretty well that yes, from experience that can be many hundreds of EXE's listed without problem.

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 17076911
dlloyd37.  Are you still needing any help on this?
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now