Solved

Setting up user profiles while locked down with Group Policy

Posted on 2009-07-13
8
425 Views
Last Modified: 2012-08-14
I will start with describing our current setup. This IT department services multiple remote locations. Each location has a Win2K3 server with Active Directory and 20-30 clients. For right now let's focus on 1 location.  On the server we have the Sales user. All our sales computers are logged on as this Sales user. This Sales user is in the group called SalesCounter. SalesCounter group is then regulated by a group policy. This group policy basically locks out everything except our sales application running on the system. You can't right click, open explorer, nothing. Only run this application.
The problem is setting up these new systems.  There are some initial things we do when setting up new systems. For one we want to log in as our Sales user and turn off power management. This is the main thing. The systems should not go to standby or have the monitor or hard disk turn off.  Of course I cannot do this because after joining the domain and logging on with the Sales user, I am locked down. To change anything on this profile I have to remove SalesCounter group from the group policy, AND set Sales network account to local admin on the system. As you can see this is a highly insecure way of doing it.  I just know there has to be a better way to accomplish this, even if it means changing our current structure. Please advise. Thank you.
0
Comment
Question by:cpeele
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 24840648
Why not have the group policy also handle the power settings ?

I hope this helps !
0
 

Author Comment

by:cpeele
ID: 24840720
Well that was one of the first things we looked into but found no settings for it.  However I just did a google search after reading your comment, and found that the Energy Star Group has released an addon to allow this. Here is the link for anyone looking: http://windowsitpro.com/article/articleid/93799/how-can-i-use-group-policy-to-manage-power-options-under-windows-xp.html
I will try this and post back. Thanks.
0
 

Author Comment

by:cpeele
ID: 24841224
I am in the process of setting this up, but also can I turn off the wallpaper with Group Policy. There is one set by default. I just need to turn it off on the Sales profile.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 10

Assisted Solution

by:remmett70
remmett70 earned 50 total points
ID: 24841515
When setting up a new computer, set the power features the way you would like them under an administrative account.  Then copy that profile to the default user.  Once that profile is copied, when you log on with your sales user, the power settings will be correct.
0
 
LVL 10

Accepted Solution

by:
JonLambert earned 450 total points
ID: 24845124
You can deploy the Group Policy Client Side Extensions the (presumed) XP clients, and then manage Power Settings via Group Policy preferences.  This works in a 2003 domain, though you need to use a Vista client to manage the Group Policy Preferences.

If you do decided to create a new default user profile, then ensure that you are using a local admin account (not a domain account) when creating the profile.  But this will not help your existing users.

A final option is to change the permissions on the Power Settings registry keys, so that standard users can modify them.

From http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx

Run Regedit.exe as an administrator
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg
Right-click on the GlobalPowerPolicy key and choose Permissions.
Click on the Advanced button.
Click Add.
Type INTERACTIVE and click Check names, then OK.
Check the Set value and Create Subkey checkboxes in the Allow column, and click OK, then OK, then OK.
Do the same thing with the PowerPolicies key.



0
 

Author Comment

by:cpeele
ID: 24850124
That registry change will work fine for us.  Thanks! However I am still stuck on the wallpaper issue. I can make display control panel be the only one available via Group Policy so that I can turn off the wallpaper, but that leaves this available for people to change. I could then go turn off the display applet but then I'm back where I started of having to change that every time. Do you have any suggestions for this?
0
 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 450 total points
ID: 24855188
For the wallpaper, I would basically set the wallpaper via Group Policy to be a specific file on the PC (e.g. c:\windows\Wallpaper.jpg), and then update the specified file on the PC if you need to change the 'Wallpaper' for the profile.  From memory if the file specified does not exist, then the wallpaper is effectivly turned off, so you could specify a file that does not currently exist, and create that file if you need a wallpaper.

Is this what you are after, or have I misunderstood.
0
 

Author Closing Comment

by:cpeele
ID: 31602858
Thanks guys. Sorry for taking so long to award points.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question