Solved

Windows XP on Windows Domain

Posted on 2007-11-28
13
169 Views
Last Modified: 2013-12-04
I have made uses on the network standard users on thier local computer so they can not install un approved software ect. How can i make it so they can not edit the registry or make other system changes on XP Pro computers on windows 2003 domain?
0
Comment
Question by:jeffsteffy
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20370171
Normally, they can't do either if they are standard users.

They *may* be able to edit the HKCU key because it's their NTUSER.DAT, but normally they can't open Regedit.

Are you sure they are not in a local group (like Power Users or Administrators) on their workstation?

You have the option to prevent users from using Regedit if all the above check out okay.  In Group policy you can define that element.

0
 
LVL 9

Assisted Solution

by:Brugh
Brugh earned 100 total points
ID: 20370195
Just disable "CMD" or "RUN" using group policy.  

You can also remove access to control panel items and system 32 directories just by applying GPOs.

Group Policies can do all of this for you.

GPO Overview
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.msp

You will want to plan exactly what you want to deny and configure those GPO's accordingly.

hth
 - Brugh
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 20370205
Standard user don't have the ability to modify the registry be default - you need do no more.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:jeffsteffy
ID: 20370209
i will verify they are not in a local group (like Power Users or Administrators) on their workstation?
and let you know

thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20370246
Ok.

That's the only way they would have access to do this.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20374266
i have the radio button check for Standard user can still delete registry should i use restricted user or other > user
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20375410
What radio button?  By Standard user, I mean the user account in AD is only a member of Domain Users and locally, Domain Users is only part of Users.

If the Domain User group is member of Power Users and Administrators OR the actual user is a member of those groups, then you're going to see this happen.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20375844
I have been talking about start > control panel > user accounts > add or remove users here. there AD account member of is only domain users.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376081
Ok, so if you right click My Computer>Select Manage then look at Local Users and Groups in Administrators and Power Users are there any accounts/groups listed in there?

Domain Admin and Administrator should be the only thing in Administrators and Power Users should be empty.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376443
there is other stuff in the Administrators group, i should remove all then
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376572
Please list what you see before removing anything - don't provide direct domain named accounts without scrubbing the private info.

There may be specific reasons for other groups and I don't want you to do something to break other stuff.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376645
in the admin group have administrator, domain\domain admin, domain\ed, domain\larry, jeffsteffy. in user group have domain\jerry, domain\domain users....
jerry is user of computer, ed & larry are management of that dept
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 300 total points
ID: 20376739
OK so you have Ed, Larry and you as local Administrators - all these people will have Admin rights locally when they log into the domain.
You don't need anything in the Users Group other than Domain Users.

Make sure Power Users is empty.

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
User profile Size Report 3 83
Exchange 2003 converted to VM but now email does not work 5 71
Which browser works with XP 16 299
Auto Login Script 3 51
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question