Solved

Group Policy issue, exclusion of user and lower premitions

Posted on 2007-12-05
7
704 Views
Last Modified: 2008-05-31
I have an OU with users in it that need a Group Policy that only allows the users to go on the web and do everything they need to do on the web, but all abilities to change the profile need to be shut off, and ability to run applications that were installed on the local machine need to be shut off or made so the user cannot use or see them. Also I need to be able to have Internet Explorer open every time you logon on any machine with these users and I need to specify a home page. It would be much appreciated if someone could help me with the settings I need in the GPO editor.

Thanks
0
Comment
Question by:HannasIT
  • 3
  • 2
7 Comments
 

Accepted Solution

by:
ADiRaju-B earned 300 total points
ID: 20415731
Oh.. I cant attach the document... How can I send  you a document that I have prepared?
0
 

Author Comment

by:HannasIT
ID: 20415776
If you want you can send it to ****Email Address Removed*** by TechSoEasy EE's Microsoft Zone Advisor

Thanks
0
 

Expert Comment

by:ADiRaju-B
ID: 20415906
Sent it... let me know does that help you... cos i prepared it from what i understood from your qn...
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:ADiRaju-B
ID: 20421430
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 200 total points
ID: 20425994
Those steps will work somewhat, but will not completely lock down a workstation.  Because even though a user cannot run the command prompt or whatever programs are configured to not run, it doesn't stop them from doing other things such as CTRL-ALT-DEL or right clicking on the task bar which will allow them to open up the Task Manager or even just clicking Start > Run....  

It also doesn't stop them from running a program or browsing the drive or network through Internet Explorer's Address bar.

In order to have a full lockdown policy you need to enable loopback processing.  But this can be both difficult to configure and is not entirely effective (http://www.windowsitpro.com/articles/print.cfm?articleid=94618).

HannasIT, from what I understand you are looking for, you may not want to use an OU at all... in fact you may not want to even add these users to your Active Directory.  Especially, if all they are doing is accessing a specific web page and not accessing any network resources.  Instead, you can have them reboot the computer they are working on with a LiveCD Operating System that runs only on the CD itself and will deny them access to the hard drive and the rest of the network.  This is a common method for running "KIOSK" stations, and you have the added advantage that you do NOT need a CAL for these users.

There are various Live CD Kiosk versions around... most run Linux and will open Firefox upon booting prohibiting any other application from running.  

See this review article for more information about Firefox Live, BoothCD and LiveKiosk:  http://snipr.com/1uw8p
There's also https://launchpad.net/kiosk

Most of these can be modified to go to a specific site as well and as long as your SBS is handing out DHCP, there won't be any problem with them accessing the Internet.

Jeff
TechSoEasy

0
 

Author Comment

by:HannasIT
ID: 20500705
Ok thanks everyone, it worked
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ADMT DNS registration issues 4 21
LDAP and ADFS 1 23
Office 365 Azure AD Connect 4 20
AD Replications issues 12 42
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now