Setting up user profiles while locked down with Group Policy
Posted on 2009-07-13
I will start with describing our current setup. This IT department services multiple remote locations. Each location has a Win2K3 server with Active Directory and 20-30 clients. For right now let's focus on 1 location. On the server we have the Sales user. All our sales computers are logged on as this Sales user. This Sales user is in the group called SalesCounter. SalesCounter group is then regulated by a group policy. This group policy basically locks out everything except our sales application running on the system. You can't right click, open explorer, nothing. Only run this application.
The problem is setting up these new systems. There are some initial things we do when setting up new systems. For one we want to log in as our Sales user and turn off power management. This is the main thing. The systems should not go to standby or have the monitor or hard disk turn off. Of course I cannot do this because after joining the domain and logging on with the Sales user, I am locked down. To change anything on this profile I have to remove SalesCounter group from the group policy, AND set Sales network account to local admin on the system. As you can see this is a highly insecure way of doing it. I just know there has to be a better way to accomplish this, even if it means changing our current structure. Please advise. Thank you.