Solved

GPO to lock down computers in a computer Lab

Posted on 2016-10-12
7
21 Views
Last Modified: 2016-11-06
I would like to know in detail if possible which gpo policys i need to change to lock down a pc.
Here is a list of things i would like to do. I would like this to be applied mainly for the "Student" user account.
IF you think i should add more please add them to the list
1.  Icons on the desktop cant be deleted.
2. When they click on start button they can only reboot.
3. IE, Chrome and Firefox, Office and Adobe Reader are allowed.
4. Task manager is disabled.
5. No Right Clicking on desktop so that cant modify background or create shortcuts.
5. Student account cant save any files to desktop and removable usb drives and optical are disabled.

thanks
0
Comment
Question by:noclav
  • 3
  • 2
7 Comments
 
LVL 6

Expert Comment

by:No More
ID: 41840456
1, Well are those computers use by different users than just Students?

2, Depending on point one to choose combination of user and computer GPO

3, For desktop icons, you could create share folder with icons they only need and redirect it using folder redirection and with not allow change in policy and only read and execute permission for share folder to specific group/users

4, Use Applocker policy to while list those apps, also if you remove Local Administrator rights from students they won't be able to install program anyway

5, Removable devices and task manager is the easy part

Let me know how these computers will be used  and how tight security you want to apply
0
 
LVL 6

Accepted Solution

by:
No More earned 500 total points
ID: 41840474
Remove Task manager - This policy setting prevents users from starting Task Manager.
USER Conf. /admin templates - System-ctrl-alt-delete - remove task manager

Removable storage access - If you enable this policy setting, no access is allowed to any removable storage class.
User Conf. /admin templates - System - Removable storage access  - All Removable storage classes: deny all access

User Conf. / admin templates -Desktop - Desktop Prohibit changes,  - More options here choose

User conf. / Admin Templates - Start menu and Taskbar = you will find a lot of policy options for your needs
0
 

Author Comment

by:noclav
ID: 41840482
thanks for the reply only one user account is used on this computer named "Student" This is a small school with out 3 computers in the lab. I would like to lock this down as much as possible as i am a part time IT guy for them. Less headaches for me the better. They only use the computers mainly for testing. so there is software that i installed for state testing.
0
 
LVL 6

Expert Comment

by:No More
ID: 41840494
And also User Conf. / control panel - Personalization -  Prevent changing ( multiple options)


Are you deploying that software through group policy ?


Group policy has a lot of options
0
 

Author Comment

by:noclav
ID: 41840504
at the moment im not pushing software from GPO i would like to but need to test that. For now i just install it.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now