Solved

VB6 - Read/Write Group Policy

Posted on 2007-11-26
12
954 Views
Last Modified: 2008-02-01
Hello to all. I need to know if there is a way to read/write group policy via VB6.  I have a feeling that I can not because of the security risks but it is worth asking. The trouble is all of our users have to be in the Administrators group so when we lock a PC down we have to do it for everyone. But when I want to make changes on the PC I have to go into Group Policy and disable everything and when I am done I  have to re-enable everything. There just has to be an easier way.

Thanks!!!
0
Comment
Question by:jbotello4
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 22

Expert Comment

by:danaseaman
Comment Utility
Not exactly what you are looking for but you should be able to adapt this code:
 
Copy NT file perms from one file or dir to another:

    dwInfo = OWNER_SECURITY_INFORMATION Or _
                  GROUP_SECURITY_INFORMATION Or _
                  DACL_SECURITY_INFORMATION

http://www.trigeminal.com/code/CopyFilePerms.bas
0
 
LVL 1

Author Comment

by:jbotello4
Comment Utility
I've read through the code but do not see how to adapt to my needs. For example I need to be able to disable 'Save Settings on Exit' (among other things). Can you offer a small explanation of what you had in mind? Thanks!!!
0
 
LVL 1

Author Comment

by:jbotello4
Comment Utility
Does anybody have any ideas on this?
0
 
LVL 40

Expert Comment

by:Vadim Rapp
Comment Utility
I'm almost sure there's some way to achieve your goal without any programming, and without disabling everything on the machine. Maybe you could describe your situation, what exactly you achieve "disabling everything".
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
It actually sounds like you are approaching this from the wrong end... I would wonder why all your users need to be in the administrators group?  There are many programs which used to require this, but many have changed, and for others there are a number of workarounds.

See www.threatcode.com for more info, and if you provide more about why you need to do this, we may be able to assist in helping you to lock down workstations properly, without inhibiting Domain Administrators.

Jeff
TechSoEasy
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:jbotello4
Comment Utility
We have two programs that work directly with our POS register systems (grocery stores)  that require that the user be an administrator. Unfortunately there are no workarounds for these programs. But at the same time we have store manager's who use these computers for other work related items. We would like to completely lock the desktop by not allowing new icons, folders, or wallpaper. Lock the screen saver. Lock down the control panel (I found this in the registry). Prevent downloads from the internet. Disable removable devices. There are several other things we need to lock down but I know if I get pointed in the right direction I can make the rest work. I figured I could find most of the group policy options in the registry somewhere but I am having trouble finding much. Thanks for the help!!
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
I've seen plenty of workarounds for these type situations.  The most common one is to force a particular program to run when a specific user (or a user that is a member of a specific security group) logs in and then log them out when the program is terminated.  This way, a standard user cannot do anything other than use the computer for your POS System.

Then, store managers will log in and not be forced to use the specific program, allowing them to use any other software you wish.

There are also pre-defined XP Security Templates that may help you in defining Group Policies:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scedefaultpols.mspx

Finally, there are 3rd party programs that can help you configure the User Interface to help with securing workstations.  Some of them are even free:  http://www.freshdevices.com/freshui.html
http://manageengine.adventnet.com/products/desktop-central/index.html

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:jbotello4
Comment Utility
Our POS software requires constant communication with our POS servers so we can't log this machine off. The servers even require a special procedure when we need to shut the PC down. Leave it to IBM to make it so difficult.

Do you know of any other softwares that have the same features as the 2nd link you provided. We were interested in the new SMS product from Microsoft for 2007 but it requires Active Directory which we do not employ. I liked the Manage Engine software but my CFO never approves the purchase of software with an annual fee. He would rather buy the software outright. Any central Admin software would have to work on a Windows workgroup network. Thanks for the input.
0
 
LVL 40

Assisted Solution

by:Vadim Rapp
Vadim Rapp earned 100 total points
Comment Utility
Two thoughts:

1. if you could figure out what permissions exactly POS programs need (for example, write to some specific key in HKLM in registry), you then could give the non-admin POS user that specific privilege, but nothing else.

2. Maybe you could redefine windows shell for POS user, so once he logs on, he has POS program on the screen, but no explorer.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 400 total points
Comment Utility
Not using Active Directory is a problem... since you won't have a centralized way to manage your systems.

But I'd tell your CFO that there is a very good reason to use Software that requires an annual fee... not only is it much less expensive, but the annual revenue stream encourages a company to keep providing you with better service and to keep improving the product.  I much prefer software with annual licenses because it always seems that the software that you buy outright will have a problem two-years down the road and there won't be anyone to help you solve it...    
 
                 ...kinda sounds like the situation you find yourself in now.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:jbotello4
Comment Utility
I agree Jeff. The powers that be think that we can employ the latest and greatest technology without spending the money to get it off the ground.

As for the solution to my problem I think I will just write a small app that turns on/off the registry keys that I have found until we have the infastructure set up to solve this the right way.

I appreciate the input from everybody who helped out. I will split points based on the level of input.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article describes some techniques which will make your VBA or Visual Basic Classic code easier to understand and maintain, whether by you, your replacement, or another Experts-Exchange expert.
Resolve DNS query failed errors for Exchange
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now