Solved

Windows XP on Windows Domain

Posted on 2007-11-28
13
167 Views
Last Modified: 2013-12-04
I have made uses on the network standard users on thier local computer so they can not install un approved software ect. How can i make it so they can not edit the registry or make other system changes on XP Pro computers on windows 2003 domain?
0
Comment
Question by:jeffsteffy
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20370171
Normally, they can't do either if they are standard users.

They *may* be able to edit the HKCU key because it's their NTUSER.DAT, but normally they can't open Regedit.

Are you sure they are not in a local group (like Power Users or Administrators) on their workstation?

You have the option to prevent users from using Regedit if all the above check out okay.  In Group policy you can define that element.

0
 
LVL 9

Assisted Solution

by:Brugh
Brugh earned 100 total points
ID: 20370195
Just disable "CMD" or "RUN" using group policy.  

You can also remove access to control panel items and system 32 directories just by applying GPOs.

Group Policies can do all of this for you.

GPO Overview
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.msp

You will want to plan exactly what you want to deny and configure those GPO's accordingly.

hth
 - Brugh
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 20370205
Standard user don't have the ability to modify the registry be default - you need do no more.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20370209
i will verify they are not in a local group (like Power Users or Administrators) on their workstation?
and let you know

thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20370246
Ok.

That's the only way they would have access to do this.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20374266
i have the radio button check for Standard user can still delete registry should i use restricted user or other > user
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Netman66
ID: 20375410
What radio button?  By Standard user, I mean the user account in AD is only a member of Domain Users and locally, Domain Users is only part of Users.

If the Domain User group is member of Power Users and Administrators OR the actual user is a member of those groups, then you're going to see this happen.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20375844
I have been talking about start > control panel > user accounts > add or remove users here. there AD account member of is only domain users.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376081
Ok, so if you right click My Computer>Select Manage then look at Local Users and Groups in Administrators and Power Users are there any accounts/groups listed in there?

Domain Admin and Administrator should be the only thing in Administrators and Power Users should be empty.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376443
there is other stuff in the Administrators group, i should remove all then
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376572
Please list what you see before removing anything - don't provide direct domain named accounts without scrubbing the private info.

There may be specific reasons for other groups and I don't want you to do something to break other stuff.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376645
in the admin group have administrator, domain\domain admin, domain\ed, domain\larry, jeffsteffy. in user group have domain\jerry, domain\domain users....
jerry is user of computer, ed & larry are management of that dept
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 300 total points
ID: 20376739
OK so you have Ed, Larry and you as local Administrators - all these people will have Admin rights locally when they log into the domain.
You don't need anything in the Users Group other than Domain Users.

Make sure Power Users is empty.

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now