Thanks Steve...
To clarify:
We have new XP Home machines from Dell. Two of them will be set up for
training. If they want to browse network shares, its not a terrible
concern
as some of the employees will need to. BUT, basically, the paramount
thing I
need to prevent is any user, other than Admin of course, from
Installing
software on these PCs. Fun security free apps like Yahoo Messenger,
AOL,
and
other stuff folks can download and 'run here' type craptacular software
that
will probably just be embedded with Spyware/Adware/malware, etc.
Would you mind telling me how to 'Lock it down' so folks are unable to
install software. And if its not too much to ask, once I create this
restricted group, how do I make it a roaming profile? Or is it already
roaming since its a domain group?
Thanks again.
:
Well from what you describe, that can not be done effectively because
to
do
everything else would require the user to be a local administrator.
Local
administrators can of course install software. You can "hide" access
to
My
Network Places [user configuration/administrative templates/desktop]
but
that still leaves ways for a user to search network shares via the
browse
list with command line tools, etc. as long as netbios over tcp/ip is
enabled
on the network. You really need to depend on share permissions to
restrict
what a user can access on a network and not worry about what they can
see. I
can see the vault of my bank when I walk in but that does not mean I
can
get
inside of it and loot it if I was so inclined.
If there is some way that the group can be a member of the local
users
group only on domain computers then they will not be able to install
most
software such as software that can be used by all users or software
that
writes to the program files folder or system folder. If the client
computers
are using XP Pro you can use Software Restriction Policies to restrict
what
they can run and install with hash and path rules and the local
administrators can also be restricted by configuring the enforcement
rule
though a knowledgeable user may figure out he can boot into safe mode
to
bypass SRP if he is a local administrator. There are Group Policy
settings
in Windows 2000 under user configuration/administrative
templates/system
that can restrict what applications a user runs if the application can
not
be renamed but that will apply to only domain users when configured at
the
domain/OU level and any user with local administrator capabilities can
logon
to the computer locally via an account they create to bypass Group
Policy
user configuration applied at the domain/OU level.
If you absolutely have to make the users local administrators it still
will
be worthwhile trying to use Group Policy to restrict them as many user
may
not even know the concept of an administrator account but you have to
beware
that it is not near a foolproof solution, particularly for the long
run
as
some users figure out how to bypass policy and others catch on. Also
make
sure you read the full description of any Group Policy setting before
you
implement it and set it up on a test OU before rolling out to all
users. ---
Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 --
adding
setup.exe, msiexec.exe, and install.exe may help for instance..
http://tinyurl.com/42dny -- the more restrictive Windows application
setting that is difficult to configure correctly.
Hi.
Setting up a new local domain group on our W2k Server. I'd like the
log
in
users to do everything on the PC, EXCEPT Install programs, and
search
network
shares. I just need to lock down those two settings for the group
policy.
I started to set it up yesterday, but the options are endless, both
a
blessing and curse for Windows 2000 Server.
Anyone with tips, please post comments/ tips.
Thanks
