Locking computers down so that users cannot change any settings

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I do not want my users to make any setting chages in the workstations. I
want there to be a standard and people cannot change desktop settings. I
need to know which OU policies I need to enable or disable to secure my
network.

Please Help! Thanks.
 
If you look in Group Policy under user configuration/administrative
templates/desktop and configuration/administrative templates/start menu you
will see a lot of options you can try. For the desktop settings note that
they differ depending on if you are using Active Desktop or not. Other
options may be to use mandatory user profiles or changing the users
permissions to their desktop folder in their user profile under documents
and settings so that they have only read/list/execute. Restricting Desktop
settings alone, while it has it's merits, will not do much to secure your
network For that you also need to configure strong password policy,
restrict users to the users group if possible, apply the principle of least
needed permissions to resources such as shares, have a firewall, antivirus
protection, and take many other steps. If you have Windows XP Pro computers,
you will find Software Restriction Policies very helpful in preventing users
from installing or running unauthorized applications.The links below may be
helpful. --- Steve

http://support.microsoft.com/?kbid=323368 -- assigning mandatory profiles.
http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx --
Microsoft Small Business Security Guidance.
 
Steven,

I'm not using profiles. I was wondering if I can do this in the Group
Policies.
 
Yes, you should have good success with Group Policy as I mentioned
particularly in user configuration/administrative templates. However I don't
believe you can totally lock the desktop using Group Policy. If you change
the permissions to their desktop folder under documents and
settings/%username% and make it so they only have read/list/execute
permissions they will not be able to add or delete items from the desktop if
used with Group Policy restrictions. The link below to Common Desktop
Scenarios may be helpful. It is geared for Windows 2003 but should still
work for those settings that apply to Windows 2000 computers. You can and
should use the Group Policy Management Console in Windows 2000 as long as
you have a Windows XP Pro computer on the domain that you can run it from.
If you do that, be sure that computer is secured, ideally physically also,
as you will need to logon to it as a domain administrator. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/csws2003.mspx
 
Back
Top