David Schmalzer
asked on
Locking down Windows 7 on New Domain
I have created a new domain with window server 2008. Before I join the Windows 7 computers to the domain, I want to know step by step how to "lock the computers down". The end users will be only able to use Microsoft Office, Internet, and a 3rd party application. That is all I want them to be able to do, period. Please give me details on how to accomplish this.
ASKER
I am running Windows Server 2008 Service Pack 2 but do not see that feature under Group Policy.
Hi,
To activate this feature you must have Windows 2008 R2. All clients also must be Windows 7.
To activate this feature you must have Windows 2008 R2. All clients also must be Windows 7.
ASKER
Ok, then I guess this solution will not work in my situation.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This technet article is very helpful too:
Using Software Restriction Policies to Protect Against Unauthorized Software
http://technet.microsoft.com/pt-br/windows/aa940985.aspx
Using Software Restriction Policies to Protect Against Unauthorized Software
http://technet.microsoft.com/pt-br/windows/aa940985.aspx
ASKER
Thanks
I think you mean how lock the applications? This feature called AppLocker. With this feature you can assign the users to the rules that you have created. For example: User A can run Office 2010 but cannot run Adobe reader. User B can run Adobe reader but cannot run Office 2010. Ofcourse you will need to create rules but first prepare your system for this.
1-First make sure that your Domain and Forest Function Levels are Windows 2008 R2, if not please raise it. Since you having new domain this operation is safe. If you would have Windows 2003 DC then you shoudl remove it from the environment gracefull.
Open Group Policy Management and edit Default Domain Policy
Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies
Create your rule under AppLocker - Executable Rules
Allow or Deny
Select Publisher
Browse the software that you wanna restrict
With Exceptions tab you can allow or deny previous versions of the same software if you like
Name your rule
After creation of the rule you may edit if you like
Go to the Services and RUN Application identy service
Open cmd and run gpupdate /force (restart recommended)