Solved

GPO to lock down computers in a computer Lab

Posted on 2016-10-12
7
32 Views
Last Modified: 2016-11-06
I would like to know in detail if possible which gpo policys i need to change to lock down a pc.
Here is a list of things i would like to do. I would like this to be applied mainly for the "Student" user account.
IF you think i should add more please add them to the list
1.  Icons on the desktop cant be deleted.
2. When they click on start button they can only reboot.
3. IE, Chrome and Firefox, Office and Adobe Reader are allowed.
4. Task manager is disabled.
5. No Right Clicking on desktop so that cant modify background or create shortcuts.
5. Student account cant save any files to desktop and removable usb drives and optical are disabled.

thanks
0
Comment
Question by:noclav
  • 3
  • 2
7 Comments
 
LVL 7

Expert Comment

by:No More
ID: 41840456
1, Well are those computers use by different users than just Students?

2, Depending on point one to choose combination of user and computer GPO

3, For desktop icons, you could create share folder with icons they only need and redirect it using folder redirection and with not allow change in policy and only read and execute permission for share folder to specific group/users

4, Use Applocker policy to while list those apps, also if you remove Local Administrator rights from students they won't be able to install program anyway

5, Removable devices and task manager is the easy part

Let me know how these computers will be used  and how tight security you want to apply
0
 
LVL 7

Accepted Solution

by:
No More earned 500 total points
ID: 41840474
Remove Task manager - This policy setting prevents users from starting Task Manager.
USER Conf. /admin templates - System-ctrl-alt-delete - remove task manager

Removable storage access - If you enable this policy setting, no access is allowed to any removable storage class.
User Conf. /admin templates - System - Removable storage access  - All Removable storage classes: deny all access

User Conf. / admin templates -Desktop - Desktop Prohibit changes,  - More options here choose

User conf. / Admin Templates - Start menu and Taskbar = you will find a lot of policy options for your needs
0
 

Author Comment

by:noclav
ID: 41840482
thanks for the reply only one user account is used on this computer named "Student" This is a small school with out 3 computers in the lab. I would like to lock this down as much as possible as i am a part time IT guy for them. Less headaches for me the better. They only use the computers mainly for testing. so there is software that i installed for state testing.
0
 
LVL 7

Expert Comment

by:No More
ID: 41840494
And also User Conf. / control panel - Personalization -  Prevent changing ( multiple options)


Are you deploying that software through group policy ?


Group policy has a lot of options
0
 

Author Comment

by:noclav
ID: 41840504
at the moment im not pushing software from GPO i would like to but need to test that. For now i just install it.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question