Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows XP on Windows Domain

Posted on 2007-11-28
13
Medium Priority
?
173 Views
Last Modified: 2013-12-04
I have made uses on the network standard users on thier local computer so they can not install un approved software ect. How can i make it so they can not edit the registry or make other system changes on XP Pro computers on windows 2003 domain?
0
Comment
Question by:jeffsteffy
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20370171
Normally, they can't do either if they are standard users.

They *may* be able to edit the HKCU key because it's their NTUSER.DAT, but normally they can't open Regedit.

Are you sure they are not in a local group (like Power Users or Administrators) on their workstation?

You have the option to prevent users from using Regedit if all the above check out okay.  In Group policy you can define that element.

0
 
LVL 9

Assisted Solution

by:Brugh
Brugh earned 400 total points
ID: 20370195
Just disable "CMD" or "RUN" using group policy.  

You can also remove access to control panel items and system 32 directories just by applying GPOs.

Group Policies can do all of this for you.

GPO Overview
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.msp

You will want to plan exactly what you want to deny and configure those GPO's accordingly.

hth
 - Brugh
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 400 total points
ID: 20370205
Standard user don't have the ability to modify the registry be default - you need do no more.
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 2

Author Comment

by:jeffsteffy
ID: 20370209
i will verify they are not in a local group (like Power Users or Administrators) on their workstation?
and let you know

thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20370246
Ok.

That's the only way they would have access to do this.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20374266
i have the radio button check for Standard user can still delete registry should i use restricted user or other > user
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20375410
What radio button?  By Standard user, I mean the user account in AD is only a member of Domain Users and locally, Domain Users is only part of Users.

If the Domain User group is member of Power Users and Administrators OR the actual user is a member of those groups, then you're going to see this happen.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20375844
I have been talking about start > control panel > user accounts > add or remove users here. there AD account member of is only domain users.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376081
Ok, so if you right click My Computer>Select Manage then look at Local Users and Groups in Administrators and Power Users are there any accounts/groups listed in there?

Domain Admin and Administrator should be the only thing in Administrators and Power Users should be empty.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376443
there is other stuff in the Administrators group, i should remove all then
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376572
Please list what you see before removing anything - don't provide direct domain named accounts without scrubbing the private info.

There may be specific reasons for other groups and I don't want you to do something to break other stuff.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376645
in the admin group have administrator, domain\domain admin, domain\ed, domain\larry, jeffsteffy. in user group have domain\jerry, domain\domain users....
jerry is user of computer, ed & larry are management of that dept
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1200 total points
ID: 20376739
OK so you have Ed, Larry and you as local Administrators - all these people will have Admin rights locally when they log into the domain.
You don't need anything in the Users Group other than Domain Users.

Make sure Power Users is empty.

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question