Solved

stop users from modifying desktops......

Posted on 2007-03-21
19
207 Views
Last Modified: 2010-04-18
have a single server with DC and exchange 03 on it......60 users.........is there a way i can stop the users from installing softwares, modifying outlook on their local machines......all 60 users are on xp pro.....they are member of domain admins and domain users.......if i remove them from domain admins will it solve my purpose ?....
0
Comment
Question by:rrajani
  • 11
  • 5
  • 2
  • +1
19 Comments
 
LVL 6

Expert Comment

by:mattyfonz
ID: 18768320
They are all members of Domain Admins?!
ill refrain from screaming with horror and just say that it would be a VERY good idea to remove them all from that group immediately.
Use group policy to lock down the client workstations. have them part of the domain users group should be fine for desktops as they will be part of the users group on the local machines and not be able to install software by default unless you give them specific permissions to do so. what exactly are you trying to prevent them from doing?
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18768332
*shudder*

having your users in domain admins is usually only done for 2 reasons - first, NTFS permissions got a bit hard basket and it was fixed in the worst way possible, and/or, users needed admin rights to their machines and domain admins seemed like a logical choice.

Ideally, only those who really, really need domain admin access (usually, wait for it, just domain administrators) should have it - the rest should be users, that is all.  Depending on your environment will depend on your desktop settings - I have some sites where all users are LOCAL admins of their desktops, and other sites where they are locked down totally - as you want to lock it down, the fonz has given you some good ways of doing that

-red
0
 
LVL 2

Expert Comment

by:rmmci
ID: 18770762
I agree with fonz. but Create a orgainzation unit and add users to it to simpliy the process. Make sure all your workstation are added to the domain also, to force your policies down to your workstations when users log in.
0
 

Author Comment

by:rrajani
ID: 18772114
ex admin had configured the AD and the way he had setup is, we have
one domain "abc.local" and  
one OU 'abc users'
one container 'computers'
All the 60 users are member of domain users & domain admins.
We have several group created and all groups are of type 'security' and scope 'global'
group1 : _abc (all users are member of this grp)
group2 : _warehouse managers (all whse managers are member of this group)
group3 : _accounting (all accounting staff are members of this grp)
group4 : _inside sales (all inside sales people are members of this grp)
.........and so on.....

What we basically need to accomplish is,
1. nobody should be able to play around with their outlook once their account is setup on their box
2. nobody should be able to install and uninstall software/hardware on their box
.........etc........
We have 50/50 workforce.......50% are executives who kind of are little computer savvy and they understand , but other 50% are wharehouse guys who are nuts......

we do not have any group policies setup yet.......pls advice.............

0
 

Author Comment

by:rrajani
ID: 18772136
Fonz...........

as u suggested......would you advice me how to create a group policy to lock down the client boxes....
0
 

Author Comment

by:rrajani
ID: 18772436
once we setup the group policy, we also want to accomplish that users should not be able to change their desktop settings as well.......we need to incorporate some standards for desktops as well for all users...
0
 
LVL 6

Accepted Solution

by:
mattyfonz earned 500 total points
ID: 18772640
ok well,
if you have all the users in one OU assign a group policy to that OU so that all users in it will inherit the user configuration settings from it. Also, you mentioned that all the computers are in a container not an OU. so i personally would create another OU named staff machines and move all the machines into there so if needed you can assign a group policy to it. Remove everyone from the domain admins group. leave them in the domain users group as this is the default. they should have adequate permissions for doin their day to day stuff such as word etc however it should restrict them from installing software. you mentioned they should not be able to change their desktop settings. do you mean desktop as in desktop machine settings? or literally the deskop. if the the former, additional group policies will be need, if the later you can user folder redirection to redirect the user's desktop icons (and start menu if needed) to a read only share on the server. this standardises everyones desktops so you can control what links they can access from there.
if you want more information on folder redirection let me know
0
 

Author Comment

by:rrajani
ID: 18772775
i will get back to you on this.......

one question i had was, under administrative tools i dont see GPMC....when i go traditional way of opening the GPMC, it gives me option, 'To improve group polich management upgrade to the the GPMC'.........when i click on upgrade it takes me to MS site to download.......is that the right way......?
0
 

Author Comment

by:rrajani
ID: 18772993
once i removed users from domain admins group, they were able to access shared files but were not able to save or print.....pls advice
0
 

Author Comment

by:rrajani
ID: 18773248
all the files opens in 'read-only' format....advice........once i add them back to domain admins group it works fine as before......
0
 

Author Comment

by:rrajani
ID: 18773393
i think i figured out......i removed user from domain admin.......under shared folder under security tab i had not added domain users....which i did and assigned permissions for domain users and it worked.......is this the right way ?........
0
 

Author Comment

by:rrajani
ID: 18773431
i also need to prevent users from mapping the network drives by themselves........if i removed user from domain admin it still allowed them to map the drive.....
0
 

Author Comment

by:rrajani
ID: 18773902
also is there a way i can prevent users from deleting share files.....

i know i am asking too many questions and i have increased the points from 250 to 500.....
0
 
LVL 6

Expert Comment

by:mattyfonz
ID: 18776122
ok here we go ill answer a paragraph to each post you made :)
Yes install the group policy management console, it is much easier to edit and maintain GPOs using this tool. after installing you can just right click on an OU click properties, group policy then open

what i do personally is create a domain local group called I.T Administrators, add them to the domain admins group then any administrators in my environment are simply added to the I.T administrators group.
it sounds like the previous admin has just setup the network with the domain admin group. dont know why he did that but lets not dwell on it :). for all your shares you will have to go through and remove the domain admins groups and add the domain users group, system group and an the I.T Administrators group. assign whatever permissions you need to domain user but give system and I.T administrators full access. Also, check your printers security settings as well and make sure domain users are added to it.

you can use group policy to prohibit users from mapping network drives.
user config/admin templates/windows components/windows explorer

prevent access to cmd prompt
user config/admin templates/system


Prevent them from deleting shared files.
it depends on their permissions. do you want them to be able to create, save, modify but not delete?
if so, then go to the security tab on the share in question, click the advanced button, find the group you want to restrict in the window list, click edit, uncheck both delete permissions and apply

hope that helps. if you have any questions let me know
0
 

Author Comment

by:rrajani
ID: 18780450
thanks much........really appreciated........

where can i find good to-the-point tutorial to create group policies ?......MS is to detail........
0
 
LVL 6

Expert Comment

by:mattyfonz
ID: 18781239
0
 

Author Comment

by:rrajani
ID: 18793948
after i removed all users from the domain admins group, they were not able to open the programs on their machine.....programs such as UPS online ship, Procomm (telnet program to Unix server)....I think because these programs were installed after they were made member of domain admins......

There are 60 users and 6 locations.......In order for me to re-configure the AD in right way, do i need to :
1. remove them from domain admins grp
2. re-install the programs on each machine ?

Pls advice........
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 18796319
1, YES
2, no, but you may need to increase their permissions on the desktop - like to power users (hopefully)
0
 
LVL 6

Expert Comment

by:mattyfonz
ID: 18797030
redseattechnologies is right you just have to increase their permissions. add them to the power users group by using the restricted groups setting under computer settings in group policy. add a new group called power users and then make the  domain users group a member of this group. that should solve the problem.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now