Best way to deny access

  • Thread starter Thread starter Keith Martin
  • Start date Start date
K

Keith Martin

I am looking for the best way to deny my users access on
their windows 2000 prof machines. I have tried setting up
a basic restricted user profile for the user but it does
not stop the installation of unwanted software. It
prompts that they do not have the rights to install the
software yet it still continues the installation at lesat
50% of the time. Does anyone have any opinions on the
best way to control this issue?

Thanks in advance
 
It is very difficult to prevent them from installing all software if they have
write access somewhere on their machine and by default they have full control of
their profile folder under the documents and settings folder. To start with, you
might want to review ntfs permissions for the root folder and reduce it to
read/list/execute for the everyone and users group. You could try adding setup.exe
and install.exe to the "don't run specified Windows applications" and disable the
command prompt [that will stop scripts that rely on it though - read explanation of
setting] in Group Policy/user configuration/administrative templates/system. Of
course that is not foolproof as they will probably try renaming those executables,
but it may stop some users. Windows XP is very effective at stopping what you ask via
Software Restriction Policies. Maybe your budget will allow a few copies of that to
try out. Possibly using Disk Quotas will help. Disk Quotas are based on file
ownership. You may want to set their temporary internet files cache at a small fixed
size and then allow them a reasonable amount above that. Another thing that may help
is configuring their user profile ntfs permissions to not allow creation of folders.
Most software packages need to create folders as part of the installation. You would
have to change their ntfs permission for their profile at the root folder to modify
from full and then use advanced permissions to add the user again and choose "folder
and subfolders" where you would check off deny for create folders/append data. That
is something you should test out for a while on a couple of computers before
implementation. It would also make sense that users can not boot from floppy or
cdrom. You would configure that in cmos [password protect the settings] and have to
have a locked case to prevent them from erasing settings. Disable USB in cmos also if
it is not needed to prevent use of memory drives, etc. Good luck. --- Steve

http://support.microsoft.com/?kbid=183322
 
Back
Top