Windows XP on Windows Domain

I have made uses on the network standard users on thier local computer so they can not install un approved software ect. How can i make it so they can not edit the registry or make other system changes on XP Pro computers on windows 2003 domain?
LVL 2
jeffsteffyAsked:
Who is Participating?
 
Netman66Connect With a Mentor Commented:
OK so you have Ed, Larry and you as local Administrators - all these people will have Admin rights locally when they log into the domain.
You don't need anything in the Users Group other than Domain Users.

Make sure Power Users is empty.

0
 
Netman66Commented:
Normally, they can't do either if they are standard users.

They *may* be able to edit the HKCU key because it's their NTUSER.DAT, but normally they can't open Regedit.

Are you sure they are not in a local group (like Power Users or Administrators) on their workstation?

You have the option to prevent users from using Regedit if all the above check out okay.  In Group policy you can define that element.

0
 
BrughConnect With a Mentor Commented:
Just disable "CMD" or "RUN" using group policy.  

You can also remove access to control panel items and system 32 directories just by applying GPOs.

Group Policies can do all of this for you.

GPO Overview
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.msp

You will want to plan exactly what you want to deny and configure those GPO's accordingly.

hth
 - Brugh
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Brian PierceConnect With a Mentor PhotographerCommented:
Standard user don't have the ability to modify the registry be default - you need do no more.
0
 
jeffsteffyAuthor Commented:
i will verify they are not in a local group (like Power Users or Administrators) on their workstation?
and let you know

thanks
0
 
Netman66Commented:
Ok.

That's the only way they would have access to do this.

0
 
jeffsteffyAuthor Commented:
i have the radio button check for Standard user can still delete registry should i use restricted user or other > user
0
 
Netman66Commented:
What radio button?  By Standard user, I mean the user account in AD is only a member of Domain Users and locally, Domain Users is only part of Users.

If the Domain User group is member of Power Users and Administrators OR the actual user is a member of those groups, then you're going to see this happen.

0
 
jeffsteffyAuthor Commented:
I have been talking about start > control panel > user accounts > add or remove users here. there AD account member of is only domain users.
0
 
Netman66Commented:
Ok, so if you right click My Computer>Select Manage then look at Local Users and Groups in Administrators and Power Users are there any accounts/groups listed in there?

Domain Admin and Administrator should be the only thing in Administrators and Power Users should be empty.
0
 
jeffsteffyAuthor Commented:
there is other stuff in the Administrators group, i should remove all then
0
 
Netman66Commented:
Please list what you see before removing anything - don't provide direct domain named accounts without scrubbing the private info.

There may be specific reasons for other groups and I don't want you to do something to break other stuff.

0
 
jeffsteffyAuthor Commented:
in the admin group have administrator, domain\domain admin, domain\ed, domain\larry, jeffsteffy. in user group have domain\jerry, domain\domain users....
jerry is user of computer, ed & larry are management of that dept
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.