?
Solved

Setting up user profiles while locked down with Group Policy

Posted on 2009-07-13
8
Medium Priority
?
426 Views
Last Modified: 2012-08-14
I will start with describing our current setup. This IT department services multiple remote locations. Each location has a Win2K3 server with Active Directory and 20-30 clients. For right now let's focus on 1 location.  On the server we have the Sales user. All our sales computers are logged on as this Sales user. This Sales user is in the group called SalesCounter. SalesCounter group is then regulated by a group policy. This group policy basically locks out everything except our sales application running on the system. You can't right click, open explorer, nothing. Only run this application.
The problem is setting up these new systems.  There are some initial things we do when setting up new systems. For one we want to log in as our Sales user and turn off power management. This is the main thing. The systems should not go to standby or have the monitor or hard disk turn off.  Of course I cannot do this because after joining the domain and logging on with the Sales user, I am locked down. To change anything on this profile I have to remove SalesCounter group from the group policy, AND set Sales network account to local admin on the system. As you can see this is a highly insecure way of doing it.  I just know there has to be a better way to accomplish this, even if it means changing our current structure. Please advise. Thank you.
0
Comment
Question by:cpeele
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 63

Expert Comment

by:SysExpert
ID: 24840648
Why not have the group policy also handle the power settings ?

I hope this helps !
0
 

Author Comment

by:cpeele
ID: 24840720
Well that was one of the first things we looked into but found no settings for it.  However I just did a google search after reading your comment, and found that the Energy Star Group has released an addon to allow this. Here is the link for anyone looking: http://windowsitpro.com/article/articleid/93799/how-can-i-use-group-policy-to-manage-power-options-under-windows-xp.html
I will try this and post back. Thanks.
0
 

Author Comment

by:cpeele
ID: 24841224
I am in the process of setting this up, but also can I turn off the wallpaper with Group Policy. There is one set by default. I just need to turn it off on the Sales profile.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 10

Assisted Solution

by:remmett70
remmett70 earned 200 total points
ID: 24841515
When setting up a new computer, set the power features the way you would like them under an administrative account.  Then copy that profile to the default user.  Once that profile is copied, when you log on with your sales user, the power settings will be correct.
0
 
LVL 10

Accepted Solution

by:
JonLambert earned 1800 total points
ID: 24845124
You can deploy the Group Policy Client Side Extensions the (presumed) XP clients, and then manage Power Settings via Group Policy preferences.  This works in a 2003 domain, though you need to use a Vista client to manage the Group Policy Preferences.

If you do decided to create a new default user profile, then ensure that you are using a local admin account (not a domain account) when creating the profile.  But this will not help your existing users.

A final option is to change the permissions on the Power Settings registry keys, so that standard users can modify them.

From http://blogs.msdn.com/aaron_margosis/archive/2005/02/09/370263.aspx

Run Regedit.exe as an administrator
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg
Right-click on the GlobalPowerPolicy key and choose Permissions.
Click on the Advanced button.
Click Add.
Type INTERACTIVE and click Check names, then OK.
Check the Set value and Create Subkey checkboxes in the Allow column, and click OK, then OK, then OK.
Do the same thing with the PowerPolicies key.



0
 

Author Comment

by:cpeele
ID: 24850124
That registry change will work fine for us.  Thanks! However I am still stuck on the wallpaper issue. I can make display control panel be the only one available via Group Policy so that I can turn off the wallpaper, but that leaves this available for people to change. I could then go turn off the display applet but then I'm back where I started of having to change that every time. Do you have any suggestions for this?
0
 
LVL 10

Assisted Solution

by:JonLambert
JonLambert earned 1800 total points
ID: 24855188
For the wallpaper, I would basically set the wallpaper via Group Policy to be a specific file on the PC (e.g. c:\windows\Wallpaper.jpg), and then update the specified file on the PC if you need to change the 'Wallpaper' for the profile.  From memory if the file specified does not exist, then the wallpaper is effectivly turned off, so you could specify a file that does not currently exist, and create that file if you need a wallpaper.

Is this what you are after, or have I misunderstood.
0
 

Author Closing Comment

by:cpeele
ID: 31602858
Thanks guys. Sorry for taking so long to award points.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question