Solved

Group Policy and AD 2003

Posted on 2009-06-29
3
217 Views
Last Modified: 2012-05-07
Hello,
In AD WIndows 2003 I want to create a new container with a group policy so a user created on this container will have the following behavior:

When user open a session on a XP Client, he will have a very limited access to this PC, no control panel, to acces to C drive, no possible to store files on desktop. User will only be able to save files to "my documents". Other feature required: when user open a session, an application will be launched automatically, and all other application (in start/program files) will be hidden from user

How do I create my group policy ? Any written document with examples ?
Thank you
0
Comment
Question by:gadsad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 15

Accepted Solution

by:
Rob Stone earned 500 total points
ID: 24735943
It sounds like you want to use GPO and Mandatory Profile.

Create a new profile and lock it down how you wish with the view. Then copy this to the profile server and renam ntuser.dat to ntuser.man.  They will not be able to change the desktop or any other profile settings then.

You can also have the application set in the users startup folder for the application to launch when they log in.

You can map the user drive to their my documents if it's a network share otherwise the above method won't be any good.

For removing the control panel, browse to the following when creating the GPO:
User Config > Admin Templates > Control Panel > Prohibit access to the Control Panel.
0
 

Author Comment

by:gadsad
ID: 24736154
Very interesting but I am not sure how to do it (block the profile, rename the profile...)
Do you have a technical document which can describe in detail all this? It would be great!
Thank you
0
 
LVL 15

Expert Comment

by:Rob Stone
ID: 24886833
Here is a link for the Mandatory Profiles.  Remember to have it configured how you want it for all the users who will use it and then copy the profile to a network share:

http://technet.microsoft.com/en-us/library/cc786301%28WS.10%29.aspx
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question