Lock down certain machines

[Guest]

Our Executive Director has asked me to lock down the computers in one of our
departments so the users can't install or change anything on their computer.
I made sure the users did not have admin rights, but they still seem to be
able to install screen savers, file sharing programs, etc. Can I lock them
down with group policies? Can someone recommend a good starting point for
learning how to implement them for certain users or machines? We use win2k
pro workstations and a win2k server domain controller. Thanks.

 

[Cary Shultz [A.D. MVP]]

Gino,

There are a couple of ways.

I might take a look at the Restricted Groups GPO that will be part of the
solution. The MSKB Articles of interest are:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

I would also take a look at the locking down the systems via GPO. Here is a
link ( yes, it is aimed at Terminal Server but the concepts apply to
workstations as well ):

http://support.microsoft.com/?id=278295
http://support.microsoft.com/?kbid=315675

You can also use NTFS permissions to further assist you.

I would test this in a lab environment. I know that I do some things a bit
differently in regards to 278295. Find what works for you and your
environment.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com