Locking Down workstation

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I've got 75 users with laptops that log onto our domain. They have always
been given local Admin rights. Now we want to lock them down, but still allow
them to install local printers, or config home wireless. But nothing else!
(including adding browsers, apps, etc! )

Will the local Users group give them this access? When I tested it, it
appeared that only Add Network Printer was available, not the local one.
Power User seemed to get the same settings.

We had one of these machines infect our network courtesy of a user who had
too much Admin rights so any help would be appreciated.

Thanks,

Sheldon
 
If the printer does a server side installation the user can be a regular
user and if not the user can not. The link below explains more on this.

http://support.microsoft.com/default.aspx?scid=kb;en-us;326473&Product=winxp

I am not sure about wireless which could be configured possibly with the
built in XP Zero Wireless Configuration or the utility that comes with the
network adapter. You will have to try that one out and may also want to post
in the wireless newsgroup. You can try to add the user to the local network
operators group to see if that helps at all depending on what they need to
do with the understanding that will allow the user to configure most tcp/ip
settings. You also may want to investigate Software Restriction Policies
that can be deployed via Group Policy and can apply to local administrators
also in the enforcement setting unless they figure out that they can boot
into Safe Mode to bypass SRP.

Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Software Restriction Policies
 
Hi

Presumably you know how to set up Group Policies to run from your
server. There's lots of info out there, including the article at
http://www.windowsecurity.com/articles/Windows-XP-Group-Policy-Windows-2000-Domain-Part1.html

Local Admin or even Power User access is dangerous in the wrong hands -
as you've discovered... and as I've also discovered!

I've never fiddled with running gpedit.msc to permit users to add
printers but it should work. The policies give you quite a bit of
control

Good luck however. Once users have full control of their computer they
are reluctant to give it up.

Peter
 
I've set up GP's but cannot find any that would apply here. We are a high
school. These are instructor laptops they use at home so I've got to be able
to allow them to connect their own home printers. Worse still, we'll have a
student laptop program here in a year or so and I sure don't want them to
have Admin access!

Right now, my understanding is that this is not possible unless you have
Admin rights. Got to be a solution for this someplace!

Sheldon
 
Back
Top