Solved

Setting up user profiles while locked down with Group Policy

Posted on 2009-07-13
8
422 Views
Last Modified: 2012-08-14
I will start with describing our current setup. This IT department services multiple remote locations. Each location has a Win2K3 server with Active Directory and 20-30 clients. For right now let's focus on 1 location.  On the server we have the Sales user. All our sales computers are logged on as this Sales user. This Sales user is in the group called SalesCounter. SalesCounter group is then regulated by a group policy. This group policy basically locks out everything except our sales application running on the system. You can't right click, open explorer, nothing. Only run this application.
The problem is setting up these new systems.  There are some initial things we do when setting up new systems. For one we want to log in as our Sales user and turn off power management. This is the main thing. The systems should not go to standby or have the monitor or hard disk turn off.  Of course I cannot do this because after joining the domain and logging on with the Sales user, I am locked down. To change anything on this profile I have to remove SalesCounter group from the group policy, AND set Sales network account to local admin on the system. As you can see this is a highly insecure way of doing it.  I just know there has to be a better way to accomplish this, even if it means changing our current structure. Please advise. Thank you.
0
Comment
Question by:cpeele
8 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 24840648
Why not have the group policy also handle the power settings ?

I hope this helps !
0
 

Author Comment

by:cpeele
ID: 24840720
Well that was one of the first things we looked into but found no settings for it.  However I just did a google search after reading your comment, and found that the Energy Star Group has released an addon to allow this. Here is the link for anyone looking: http://windowsitpro.com/article/articleid/93799/how-can-i-use-group-policy-to-manage-power-options-under-windows-xp.html
I will try this and post back. Thanks.
0
 

Author Comment

by:cpeele
ID: 24841224
I am in the process of setting this up, but also can I turn off the wallpaper with Group Policy. There is one set by default. I just need to turn it off on the Sales profile.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 10

Assisted Solution

by:remmett70
remmett70 earned 50 total points
ID: 24841515
When setting up a new computer, set the power features the way you would like them under an administrative account.  Then copy that profile to the default user.  Once that profile is copied, when you log on with your sales user, the power settings will be correct.
0
 
LVL 10

Accepted Solution

by:
JonLambert earned 450 total points
ID: 24845124
You can deploy the Group Policy Client Side Extensions the (presumed) XP clients, and then manage Power Settings via Group Policy preferences.  This works in a 2003 domain, though you need to use a Vista client to manage the Group Policy Preferences.

If you do decided to create a new default user profile, then ensure that you are using a local admin account (not a domain account) when creating the profile.  But this will not help your existing users.

A final option is to change the permissions on the Power Settings registry keys, so that standard users can modify them.

From http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx

Run Regedit.exe as an administrator
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg
Right-click on the GlobalPowerPolicy key and choose Permissions.
Click on the Advanced button.
Click Add.
Type INTERACTIVE and click Check names, then OK.
Check the Set value and Create Subkey checkboxes in the Allow column, and click OK, then OK, then OK.
Do the same thing with the PowerPolicies key.



0
 

Author Comment

by:cpeele
ID: 24850124
That registry change will work fine for us.  Thanks! However I am still stuck on the wallpaper issue. I can make display control panel be the only one available via Group Policy so that I can turn off the wallpaper, but that leaves this available for people to change. I could then go turn off the display applet but then I'm back where I started of having to change that every time. Do you have any suggestions for this?
0
 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 450 total points
ID: 24855188
For the wallpaper, I would basically set the wallpaper via Group Policy to be a specific file on the PC (e.g. c:\windows\Wallpaper.jpg), and then update the specified file on the PC if you need to change the 'Wallpaper' for the profile.  From memory if the file specified does not exist, then the wallpaper is effectivly turned off, so you could specify a file that does not currently exist, and create that file if you need a wallpaper.

Is this what you are after, or have I misunderstood.
0
 

Author Closing Comment

by:cpeele
ID: 31602858
Thanks guys. Sorry for taking so long to award points.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question