Solved

Setting up user profiles while locked down with Group Policy

Posted on 2009-07-13
8
419 Views
Last Modified: 2012-08-14
I will start with describing our current setup. This IT department services multiple remote locations. Each location has a Win2K3 server with Active Directory and 20-30 clients. For right now let's focus on 1 location.  On the server we have the Sales user. All our sales computers are logged on as this Sales user. This Sales user is in the group called SalesCounter. SalesCounter group is then regulated by a group policy. This group policy basically locks out everything except our sales application running on the system. You can't right click, open explorer, nothing. Only run this application.
The problem is setting up these new systems.  There are some initial things we do when setting up new systems. For one we want to log in as our Sales user and turn off power management. This is the main thing. The systems should not go to standby or have the monitor or hard disk turn off.  Of course I cannot do this because after joining the domain and logging on with the Sales user, I am locked down. To change anything on this profile I have to remove SalesCounter group from the group policy, AND set Sales network account to local admin on the system. As you can see this is a highly insecure way of doing it.  I just know there has to be a better way to accomplish this, even if it means changing our current structure. Please advise. Thank you.
0
Comment
Question by:cpeele
8 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 24840648
Why not have the group policy also handle the power settings ?

I hope this helps !
0
 

Author Comment

by:cpeele
ID: 24840720
Well that was one of the first things we looked into but found no settings for it.  However I just did a google search after reading your comment, and found that the Energy Star Group has released an addon to allow this. Here is the link for anyone looking: http://windowsitpro.com/article/articleid/93799/how-can-i-use-group-policy-to-manage-power-options-under-windows-xp.html
I will try this and post back. Thanks.
0
 

Author Comment

by:cpeele
ID: 24841224
I am in the process of setting this up, but also can I turn off the wallpaper with Group Policy. There is one set by default. I just need to turn it off on the Sales profile.
0
 
LVL 10

Assisted Solution

by:remmett70
remmett70 earned 50 total points
ID: 24841515
When setting up a new computer, set the power features the way you would like them under an administrative account.  Then copy that profile to the default user.  Once that profile is copied, when you log on with your sales user, the power settings will be correct.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 10

Accepted Solution

by:
JonLambert earned 450 total points
ID: 24845124
You can deploy the Group Policy Client Side Extensions the (presumed) XP clients, and then manage Power Settings via Group Policy preferences.  This works in a 2003 domain, though you need to use a Vista client to manage the Group Policy Preferences.

If you do decided to create a new default user profile, then ensure that you are using a local admin account (not a domain account) when creating the profile.  But this will not help your existing users.

A final option is to change the permissions on the Power Settings registry keys, so that standard users can modify them.

From http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx

Run Regedit.exe as an administrator
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg
Right-click on the GlobalPowerPolicy key and choose Permissions.
Click on the Advanced button.
Click Add.
Type INTERACTIVE and click Check names, then OK.
Check the Set value and Create Subkey checkboxes in the Allow column, and click OK, then OK, then OK.
Do the same thing with the PowerPolicies key.



0
 

Author Comment

by:cpeele
ID: 24850124
That registry change will work fine for us.  Thanks! However I am still stuck on the wallpaper issue. I can make display control panel be the only one available via Group Policy so that I can turn off the wallpaper, but that leaves this available for people to change. I could then go turn off the display applet but then I'm back where I started of having to change that every time. Do you have any suggestions for this?
0
 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 450 total points
ID: 24855188
For the wallpaper, I would basically set the wallpaper via Group Policy to be a specific file on the PC (e.g. c:\windows\Wallpaper.jpg), and then update the specified file on the PC if you need to change the 'Wallpaper' for the profile.  From memory if the file specified does not exist, then the wallpaper is effectivly turned off, so you could specify a file that does not currently exist, and create that file if you need a wallpaper.

Is this what you are after, or have I misunderstood.
0
 

Author Closing Comment

by:cpeele
ID: 31602858
Thanks guys. Sorry for taking so long to award points.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now