Restricting Domain Users on a local machine

[Guest]

My current problem is that I don't have administrator access to the domain
but I do have Admin access to the machine I need to restrict. Bascially I
have a list of domain accounts that can access the computer. (I already know
how to restrict who can log in) What I need to do is only allow those people
who I've allowed to login to run a few specified programs and they cannot
have access to control panel, display properties, etc.. Basically this is
going to be a terminal for a custom application that we have deployed.

 

[Steven L Umbach]

Ideally that would be best done at the domain level with Software
Restriction Policies and Group Policy restrictions found in user
configuration/administrative templates. You still can configure Software
Restriction Policies [assuming not enforced at the domain level] on that
computer and local Group Policy. By default SRP will apply to all users
other than local administrators but Group Policy will apply to all users.
You could configure Group Policy the way you want and then give your account
deny read permissions to the \Windows\system32\group policy\user folder and
then the GP will not apply to you but you would have to give yourself read
permissions to edit GP again. If you do configure local Group Policy be
careful to not lock yourself out of being able to do what you need. Local
Group Policy can be opened via gpedit.msc and Local Security Policy via
secpol.msc. Though not really designed for domain computers the Shared
Computer Toolkit may do what you want and is worth a look at and then you
could use ntfs permissions to restrict what a user could run in the program
files folder. If you do use SCT you will lose the flexibility of local
Group Policy and more fine control of Software Restriction Polices. The
links below explain further. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Software Restriction Policies
http://support.microsoft.com/?kbid=310791 --- more SRP
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx --- Shared
Computer Toolkit

 

[Guest]

The features in the Shared Computer Toolkit are pretty much exactly what I
need since they restrict what users can launch and modify the Start Menu
accordingly. The problem with the utility is that users that login with their
domain account cannot be restricted.

Ideally that would be best done at the domain level with Software
Restriction Policies and Group Policy restrictions found in user
configuration/administrative templates. You still can configure Software
Restriction Policies [assuming not enforced at the domain level] on that
computer and local Group Policy. By default SRP will apply to all users
other than local administrators but Group Policy will apply to all users.
You could configure Group Policy the way you want and then give your account
deny read permissions to the \Windows\system32\group policy\user folder and
then the GP will not apply to you but you would have to give yourself read
permissions to edit GP again. If you do configure local Group Policy be
careful to not lock yourself out of being able to do what you need. Local
Group Policy can be opened via gpedit.msc and Local Security Policy via
secpol.msc. Though not really designed for domain computers the Shared
Computer Toolkit may do what you want and is worth a look at and then you
could use ntfs permissions to restrict what a user could run in the program
files folder. If you do use SCT you will lose the flexibility of local
Group Policy and more fine control of Software Restriction Polices. The
links below explain further. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Software Restriction Policies
http://support.microsoft.com/?kbid=310791 --- more SRP
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx --- Shared
Computer Toolkit

My current problem is that I don't have administrator access to the domain
but I do have Admin access to the machine I need to restrict. Bascially I
have a list of domain accounts that can access the computer. (I already
know
how to restrict who can log in) What I need to do is only allow those
people
who I've allowed to login to run a few specified programs and they cannot
have access to control panel, display properties, etc.. Basically this is
going to be a terminal for a custom application that we have deployed.

 

[Guest]

How did you restrict domain users from signing into your local machine?
--
Ray Lee

The features in the Shared Computer Toolkit are pretty much exactly what I
need since they restrict what users can launch and modify the Start Menu
accordingly. The problem with the utility is that users that login with their
domain account cannot be restricted.

Ideally that would be best done at the domain level with Software
Restriction Policies and Group Policy restrictions found in user
configuration/administrative templates. You still can configure Software
Restriction Policies [assuming not enforced at the domain level] on that
computer and local Group Policy. By default SRP will apply to all users
other than local administrators but Group Policy will apply to all users.
You could configure Group Policy the way you want and then give your account
deny read permissions to the \Windows\system32\group policy\user folder and
then the GP will not apply to you but you would have to give yourself read
permissions to edit GP again. If you do configure local Group Policy be
careful to not lock yourself out of being able to do what you need. Local
Group Policy can be opened via gpedit.msc and Local Security Policy via
secpol.msc. Though not really designed for domain computers the Shared
Computer Toolkit may do what you want and is worth a look at and then you
could use ntfs permissions to restrict what a user could run in the program
files folder. If you do use SCT you will lose the flexibility of local
Group Policy and more fine control of Software Restriction Polices. The
links below explain further. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Software Restriction Policies
http://support.microsoft.com/?kbid=310791 --- more SRP
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx --- Shared
Computer Toolkit

My current problem is that I don't have administrator access to the domain
but I do have Admin access to the machine I need to restrict. Bascially I
have a list of domain accounts that can access the computer. (I already
know
how to restrict who can log in) What I need to do is only allow those
people
who I've allowed to login to run a few specified programs and they cannot
have access to control panel, display properties, etc.. Basically this is
going to be a terminal for a custom application that we have deployed.