Hi,
I'm using Windows 2000 Client, and I'm trying to tie down the OS so that users are limited in the things they do, i.e. install software, removed software, change IE settings, clear history's and things like that.
I've been using gpedit.msc to disable these functions, but is there a way where you can just disable the users functionality, leaving the administrator with full access??
Cheers ppl!
are you in a domain or is this a standalone machine?
Eventually well be putting this into production on our domain, but for now it's a standalone machine!
And we ain't gonna be using Active Directory, just to make things more fun!!
umm your not going to be using active directory in your domain?
i take your running NT 4 server then as you can't have a 2000 domain controller without active directory...
or are you just going to create users on a standalone server and have them accessing shares on it?
what is the current topology of your domain? do you have an existing domain controller
sorry im assuming the machine your talking about is going to be a DC....
It's all going to be connected through a FreeBSD 4.5 running Samba!
ahhhh i see...
hmm gonna have to think about this one.... i was going to say roaming profiles but you'd need a DC for people to log into to obtain the profiles...
We will probably be end up using Roaming profiles!
I take it this isn't an easy type solution?
Can't you just set the user of the PC up to be a restricted user of the PC, so then they can't change system stuff and install software etc.
Very simple, maybe it's not what you're after.
Only downside of this is that if you have multiple users of a single PC then you have to set them all up as users of the PC.
Let me know if that makes sense, if not I'll try and explain better.
Hey, you! Out there on the road always doing what you're told, can you help me?
Not quite as simple as that!
I'm trying to tie down a machine, so basically I won't get much support work!
to be honest i haven't played around with roaming profiles in 2000 but in nt 4 it was a bit of an arse..
in theory it's all very easy but i found that some parts of the profile didn't work in some OS's like it would work fine with NT workstation and 98 but not 95, and somethings worked in 95/98 but not NT workstation e.t.c
if you have a test environment you can work in then you can tweek the profiles untill you get exactly what you want then roll them out..
definately a good idea though, im going to be implementing profiles into our head office once i've finished all the other work i've got piling up!
It's what I'm doing with all my XP machines that I'm rolling out at the moment.Originally posted by Dave Dixon
Not quite as simple as that!
I'm trying to tie down a machine, so basically I won't get much support work!
Basically, all the user can do is change screen saver and appearance etc. They can't even delete Desktop Icons that are in the All Users folder.
They can't add or delete printers, or stuff like that. Basically they can't do anything that will affect system files.
It's working OK so far. I have approx 100 users that I look after, so it's not that many. I don't know if this is a very good solution if you look after loads though!
One bonus is that they can't install any stuff without me doing it for them, so I know exactly what is going onto their PCs, and it's then my fault if the PC is cocked up.
Also helps keep us nice and squeaky clean Licence wise!
Hey, you! Out there on the road always doing what you're told, can you help me?
Steve,
Can you write down the process to do this and I'll have a gander when I come in tomorrow!
I'm off home now! Had enough today!!
Have a look at user groups in computer managment. put all users, or domain users in a new group and only give then certain privs.
Paid up member of the TXT SPK Prevention Society!!
Dave
I wrote you a lovely long essay at about 12:30am last night, and then my effing computer froze!So, I'll try and remember what I put again......
Basically, all I am doing is changing the security settings of a user at a local level at their PC. So this idea works best if only one or two people use a PC and don't move around to others.
In XP (and I'm pretty sure it's the same in 2000 IIRC), in control panel there's an icon called User Accounts, maybe just Users on 2000. Windows XP automatically sets up an administrator user when you first install the OS. The administrator user has full access to the PC. There are two other levels of security:-
Standard User (Users can change many system settings and install programs that don't affectWindows system files)
Restricted User (Users can operate the computer and save documents, but cannot install programs or change system settings)
The first thing I do is change the password for Administrator to match the Domain Administrator password, so when you log onto a specific PC as the PC administrator you also get full access to the domain.
Then I set up the user. Here's a sort of example:-
John logs on to the Migdomain. I need to set John up as a Restricted user.
The user I create is a user called John and I make him a member of the Migdomain NOT the PC (the administrator is not a member of the Migdomain, Administrator's domain is the PC Name).
You are then asked what level of security you want to give to the user, I make John a restricted user, so he can't do eff all without me doing it for him!!lmao
It's as simple as that, really. Not a lot to it.
If this doesn't make sense, let me know what you don't understand and I'll try and explain myself better, I'm trying to write this and field a load of calls and one of our servers has gone down, but this is far more important!!!!!
Hey, you! Out there on the road always doing what you're told, can you help me?
Cheers for that Steve, I had a gander round the Restricted Users and stuff. I suppose the easy option is not to be so strict, but support and security is all about how many people you can pi5 5 off!! lmao lmao
I come up with an idea this morning, basically have two Group Policy's, one which is totally unrestricted, and one that is restricted. Then write a batch file to copy the files over when you want to admin the machines, only trouble is you need to open GPedit.msc and change something before the changes take effect!
I guess it's just a matter of going through the registry and policy's to find where the Group Policy update flag is set!?!
Our head of security has wrote standards that apply to things like T-scheme auditing and stuff, so the "work machines" have to be tied down to where the user can't add anything of his own i.e. wall paper, screen savers etc!
I guess I'll find some solution ............. one day..........
Cheers for the help!
damm i worked in a college 9 months ago and i can't remember exactly how we did it
but the students couldn't break the os what every they did they couldn't change any settings apps were locked down aswell
thats was with 700 pcs and 10000 users
It would be easy if we run Active directory!!
........................but we can't!!
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote