Gaspar said:
Our problem is that most computers are shared between several users. Most of
them have common (shared) documents. So it very problem having users to
login/use documents/logout for other user to access its documents/and so
on...
So we allow users to log-in locally with a common user (for example "User")
and when they access network resources, the domain logon prompt is shown.
That's why we are trying to apply "universal" policies, even the users don't
login to the domain.
There's no nice way to say this. You've set up your network insecurely
and incorrectly. The "workaround" is to set things up right and you
won't have issues with users doing stuff they shouldn't be.
1. It doesn't matter that computers are shared between users. There
should be no local user accounts available for end users to log on with.
2. Data - such as what your users have got stored in Shared Documents -
should *never* be stored locally on workstations. All data should be on
the server so it can be controlled and backed up regularly. *Nothing*
should be on the workstations.
You can set up a default standard user profile for your workstations
with various Group Policy restrictions in place, but you've made a lot
more work for yourself and have missed the point of using a domain in
the first place - centralized control so your network is a) kept
up-to-date; b) kept secure; c) kept virus and malware-free; d) kept
backed up as part of a disaster recovery plan. In addition, if you're
letting your users log on locally, are they still standard users? If
you're letting them log on locally as administrators then there is no
point in even continuing down that road - they can do whatever they want
and get around anything you set up.
Malke
