[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Setting up user profiles while locked down with Group Policy

Posted on 2009-07-13
8
Medium Priority
?
427 Views
Last Modified: 2012-08-14
I will start with describing our current setup. This IT department services multiple remote locations. Each location has a Win2K3 server with Active Directory and 20-30 clients. For right now let's focus on 1 location.  On the server we have the Sales user. All our sales computers are logged on as this Sales user. This Sales user is in the group called SalesCounter. SalesCounter group is then regulated by a group policy. This group policy basically locks out everything except our sales application running on the system. You can't right click, open explorer, nothing. Only run this application.
The problem is setting up these new systems.  There are some initial things we do when setting up new systems. For one we want to log in as our Sales user and turn off power management. This is the main thing. The systems should not go to standby or have the monitor or hard disk turn off.  Of course I cannot do this because after joining the domain and logging on with the Sales user, I am locked down. To change anything on this profile I have to remove SalesCounter group from the group policy, AND set Sales network account to local admin on the system. As you can see this is a highly insecure way of doing it.  I just know there has to be a better way to accomplish this, even if it means changing our current structure. Please advise. Thank you.
0
Comment
Question by:cpeele
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 24840648
Why not have the group policy also handle the power settings ?

I hope this helps !
0
 

Author Comment

by:cpeele
ID: 24840720
Well that was one of the first things we looked into but found no settings for it.  However I just did a google search after reading your comment, and found that the Energy Star Group has released an addon to allow this. Here is the link for anyone looking: http://windowsitpro.com/article/articleid/93799/how-can-i-use-group-policy-to-manage-power-options-under-windows-xp.html
I will try this and post back. Thanks.
0
 

Author Comment

by:cpeele
ID: 24841224
I am in the process of setting this up, but also can I turn off the wallpaper with Group Policy. There is one set by default. I just need to turn it off on the Sales profile.
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 10

Assisted Solution

by:remmett70
remmett70 earned 200 total points
ID: 24841515
When setting up a new computer, set the power features the way you would like them under an administrative account.  Then copy that profile to the default user.  Once that profile is copied, when you log on with your sales user, the power settings will be correct.
0
 
LVL 10

Accepted Solution

by:
JonLambert earned 1800 total points
ID: 24845124
You can deploy the Group Policy Client Side Extensions the (presumed) XP clients, and then manage Power Settings via Group Policy preferences.  This works in a 2003 domain, though you need to use a Vista client to manage the Group Policy Preferences.

If you do decided to create a new default user profile, then ensure that you are using a local admin account (not a domain account) when creating the profile.  But this will not help your existing users.

A final option is to change the permissions on the Power Settings registry keys, so that standard users can modify them.

From http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx

Run Regedit.exe as an administrator
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg
Right-click on the GlobalPowerPolicy key and choose Permissions.
Click on the Advanced button.
Click Add.
Type INTERACTIVE and click Check names, then OK.
Check the Set value and Create Subkey checkboxes in the Allow column, and click OK, then OK, then OK.
Do the same thing with the PowerPolicies key.



0
 

Author Comment

by:cpeele
ID: 24850124
That registry change will work fine for us.  Thanks! However I am still stuck on the wallpaper issue. I can make display control panel be the only one available via Group Policy so that I can turn off the wallpaper, but that leaves this available for people to change. I could then go turn off the display applet but then I'm back where I started of having to change that every time. Do you have any suggestions for this?
0
 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 1800 total points
ID: 24855188
For the wallpaper, I would basically set the wallpaper via Group Policy to be a specific file on the PC (e.g. c:\windows\Wallpaper.jpg), and then update the specified file on the PC if you need to change the 'Wallpaper' for the profile.  From memory if the file specified does not exist, then the wallpaper is effectivly turned off, so you could specify a file that does not currently exist, and create that file if you need a wallpaper.

Is this what you are after, or have I misunderstood.
0
 

Author Closing Comment

by:cpeele
ID: 31602858
Thanks guys. Sorry for taking so long to award points.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question