Locking down Windows 7 on New Domain

I have created a new domain with window server 2008. Before I join the Windows 7 computers to the domain, I want to know step by step how to "lock the computers down". The end users will be only able to use Microsoft Office, Internet, and a 3rd party application. That is all I want them to be able to do, period. Please give me details on how to accomplish this.
schmad01Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

teomcamCommented:
Hi,
 I think you mean how lock the applications? This feature called AppLocker. With this feature you can assign the users to the rules that you have created. For example: User A can run Office 2010 but cannot run Adobe reader. User B can run Adobe reader but cannot run Office 2010. Ofcourse you will need to create rules but first prepare your system for this.

1-First make sure that your Domain and Forest Function Levels are Windows 2008 R2, if not please raise it. Since you having new domain this operation is safe. If you would have Windows 2003 DC then you shoudl remove it from the environment gracefull.

Open Group Policy Management and edit Default Domain Policy
 

Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies
Create your rule under AppLocker -  Executable Rules
 

 Allow or Deny
 

Select Publisher
 

Browse the software that you wanna restrict
 

With Exceptions tab you can allow or deny previous versions of the same software if you like
 

Name your rule
 

After creation of the rule you may edit if you like
 

Go to the Services and RUN Application identy service
 

Open cmd and run gpupdate /force (restart recommended)
 


 
0
schmad01Author Commented:
I am running Windows Server 2008 Service Pack 2 but do not see that feature under Group Policy.
0
teomcamCommented:
Hi,
To activate this feature you must have Windows 2008 R2. All clients also must be Windows 7.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

schmad01Author Commented:
Ok, then I guess this solution will not work in my situation.
0
Renato Montenegro RusticiIT SpecialistCommented:
In the previous versions of Windows, you should use a Software Restriction Policy. There are many samples about it in the Internet. Just look for the term "Software Restriction Policy". See if this one works for you:

Software Restriction Policies in Windows 2008
http://computingtech.blogspot.com/2008/06/windows-server-2008-software.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Renato Montenegro RusticiIT SpecialistCommented:
This technet article is very helpful too:

Using Software Restriction Policies to Protect Against Unauthorized Software
http://technet.microsoft.com/pt-br/windows/aa940985.aspx
0
schmad01Author Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.