Is this scenario possible or not?

[Lei Hu]

Dear Experts,

I'm wondering if the following scenario is achievable.

I have a small LAN with one win2k3 server running AD and some win2k/xp
workstations. The users have their own workstations, and they are also
allowed to use other people's workstations. When a user logs on to his/her
own workstation, he/she has full control, but if the user logs on to a
workstation that belongs to other people, he/she gets very limited
permission, e.g., Control Panel is not displayed, etc.

How can I set proper GPOs to achieve this?

Thanks in advance!!

Lei

 

[Min0]

It sounds as if you want users to have administrative control on their "own"
workstation but be limited to user access only on any other workstation. If
this is the case then that can be achieved using local group membership on
the Worksations in question. Depending on the number of workstations and
users this could result in a large number of global groups or alot of
messing about. Best practice is to use Admin privileges when specifically
required to carry out adminstrative tasks only ! You could possibly think
about adding users to local admin group when specifically required and then
removing / later ?
It is possible to control Local Group membership through group policy.


Win0

 

[Lei Hu]

Obviously, this is not the solution. If a user logs on to other people's
workstation, he or she can still see and do a lot of things even though he
or she doesn't have local admin privilege. What I want to do is to use GPO
to lock them down, such as to lock out the control panel, and some software
applications.

Does anyone have any idea?