1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Group Policy??? Help please

Discussion in 'Legacy Windows' started by nice22, 2002/10/09.

Thread Status:
Not open for further replies.
  1. 2002/10/09
    nice22

    nice22 Inactive Thread Starter

    Joined:
    2002/10/09
    Messages:
    26
    Likes Received:
    0
    thanks for any help..

    how i prevent a users to make changes on the local computer so they can damage the operating systems like downloading staff from the internet and install on the computer , or delete same files on windows or trying to be smarts and go to registry and make changes is there a way to make a group policy from the server and control all this .
    thanks for any help here

    i have a Domain with 10 user 2000 server and all 2K workstations
     
    nice22,
    #1
  2. 2002/10/09
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    With only 10 workstations, probably easier just to tweak each workstation.

    Change the file systems to NTFS if they aren't already.

    Set regedit and regedt32 security so only local and domain admins have access to the files.

    Remove any local logon except administrator and don't let users know the password.

    Set security on the hard drive(s) so that the users have only read/execute permissions on the entire drive. Then change permissions on their folder in Documents & Settings to give modify access to only My Documents and the temp storage folders. Same with the main temp folder.

    Remove the start~run option
    Hive: HKEY_CURRENT_USER
    Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Create NoRun as REG_DWORD and value: 1

    And if you want to lock things down some more, you can use the following pair of reg tweaks

    To restrict users - allowing only programs you specify to be run
    Hive: HKEY_CURRENT_USER
    Key: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Create the value RestrictRun as REG_DWORD and set it to 1

    then to specify what programs can be run (and be sure to include ntvdm.exe if they need to run DOS programs) create a new subkey
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\RestrictRun and put in all the .exe files you want them to be able to run as:
    (default) REG_SZ (value not set)
    1 REG_SZ "notepad.exe"
    2 REG_SZ "explorer.exe"
    3 REG_SZ "regedit.exe"
    4 REG_SZ "regedt32.exe"
    (remember - you have already blocked user access to regedit and regedt32)

    You can do most of this via group policies if you prefer. Might even be easier since then you could exclude yourself from the restrictions.
     
    Last edited: 2002/10/09
    Newt,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...