Multiple Local Group Policies

[Guest]

Hi

We have a computer set up that requires us to (on request) completely lock
down the local computer.

We do this using group policies, by having two group policies and when
required replacing the entire %SystemRoot%\system32\GroupPolicy directory;
either with the original policies or with our updated ones.

We are seeing some odd and erratic behaviour at times, and I'm concerned
about whether this is the best way of doing things, or if there is a better
way.

Things we need to do include:
Deny access to hard disk
Prevent run command
Limit applications that may be run to a speficied set
and various other restrictions

Does anyone have any suggestions on how this can be done? The important
thing is the ability to reliably switch between one set and the other.

Thanks,

Martin

 

[Steven L Umbach]

What you are doing is not a very good idea and I am not surprised you are
having problems and would not be a supported procedure by MS. Ideally such a
lockdown would be done on a computer that is a member of an Active Directory
domain. However Microsoft offers the free Shared Computer Toolkit that may
be able to do all or most of what you want by being able to lockdown
individual user accounts. To restrict access to applications and folders you
should be modifying NTFS permissions to manage user/group access. ---
Steve

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx ---
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

 

[Guest]

Sounds good, but there are a number of issues that would need to be addressed.

Can this shard access be re-distributed, if not, we can't use it.
If it can, can it be installed and configured from scripts?
Does it need an administrator in attendance?
We need the ability to create new users and so on after the kit is in place
and working, and those new users also need the restrictions.

A server computer is out of the question, since our customers wouldn't be
prepared to pay the vastly increased cost of needing a server box.

I'm still hoping to find a solution where i can just change the Group Policy
settings by script.

--Martin

 

[Guest]

Just found a show stopper.

The toolkit requires it be validated during install. Since the target
computer will under no circumstances have internet access this will never
work.

--Martin

 

[Steven L Umbach]

That's too bad it won't work for you. Basically your customers want server
solutions but not to pay the price. Then they are making a decision in
managing risk where an investment in funds is more important than advanced
security configuration and you can not effectively do what they want. ---
Steve

 

[Steven L Umbach]

Note that SBS2003 is often used in such situations. At the link below for
example SBS2003 can be purchased for $419 with 5 client licenses and will
support up to 75 workstations.. --- Steve

http://www.newegg.com/Product/Product.asp?Item=N82E16837102055