Solved

Windows XP on Windows Domain

Posted on 2007-11-28
13
166 Views
Last Modified: 2013-12-04
I have made uses on the network standard users on thier local computer so they can not install un approved software ect. How can i make it so they can not edit the registry or make other system changes on XP Pro computers on windows 2003 domain?
0
Comment
Question by:jeffsteffy
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 20370171
Normally, they can't do either if they are standard users.

They *may* be able to edit the HKCU key because it's their NTUSER.DAT, but normally they can't open Regedit.

Are you sure they are not in a local group (like Power Users or Administrators) on their workstation?

You have the option to prevent users from using Regedit if all the above check out okay.  In Group policy you can define that element.

0
 
LVL 9

Assisted Solution

by:Brugh
Brugh earned 100 total points
ID: 20370195
Just disable "CMD" or "RUN" using group policy.  

You can also remove access to control panel items and system 32 directories just by applying GPOs.

Group Policies can do all of this for you.

GPO Overview
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.msp

You will want to plan exactly what you want to deny and configure those GPO's accordingly.

hth
 - Brugh
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 20370205
Standard user don't have the ability to modify the registry be default - you need do no more.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20370209
i will verify they are not in a local group (like Power Users or Administrators) on their workstation?
and let you know

thanks
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20370246
Ok.

That's the only way they would have access to do this.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20374266
i have the radio button check for Standard user can still delete registry should i use restricted user or other > user
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:Netman66
ID: 20375410
What radio button?  By Standard user, I mean the user account in AD is only a member of Domain Users and locally, Domain Users is only part of Users.

If the Domain User group is member of Power Users and Administrators OR the actual user is a member of those groups, then you're going to see this happen.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20375844
I have been talking about start > control panel > user accounts > add or remove users here. there AD account member of is only domain users.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376081
Ok, so if you right click My Computer>Select Manage then look at Local Users and Groups in Administrators and Power Users are there any accounts/groups listed in there?

Domain Admin and Administrator should be the only thing in Administrators and Power Users should be empty.
0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376443
there is other stuff in the Administrators group, i should remove all then
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376572
Please list what you see before removing anything - don't provide direct domain named accounts without scrubbing the private info.

There may be specific reasons for other groups and I don't want you to do something to break other stuff.

0
 
LVL 2

Author Comment

by:jeffsteffy
ID: 20376645
in the admin group have administrator, domain\domain admin, domain\ed, domain\larry, jeffsteffy. in user group have domain\jerry, domain\domain users....
jerry is user of computer, ed & larry are management of that dept
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 300 total points
ID: 20376739
OK so you have Ed, Larry and you as local Administrators - all these people will have Admin rights locally when they log into the domain.
You don't need anything in the Users Group other than Domain Users.

Make sure Power Users is empty.

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now