Restricting Domain Users on a local machine

G

Guest

My current problem is that I don't have administrator access to the domain
but I do have Admin access to the machine I need to restrict. Bascially I
have a list of domain accounts that can access the computer. (I already know
how to restrict who can log in) What I need to do is only allow those people
who I've allowed to login to run a few specified programs and they cannot
have access to control panel, display properties, etc.. Basically this is
going to be a terminal for a custom application that we have deployed.
 
S

Steven L Umbach

Ideally that would be best done at the domain level with Software
Restriction Policies and Group Policy restrictions found in user
configuration/administrative templates. You still can configure Software
Restriction Policies [assuming not enforced at the domain level] on that
computer and local Group Policy. By default SRP will apply to all users
other than local administrators but Group Policy will apply to all users.
You could configure Group Policy the way you want and then give your account
deny read permissions to the \Windows\system32\group policy\user folder and
then the GP will not apply to you but you would have to give yourself read
permissions to edit GP again. If you do configure local Group Policy be
careful to not lock yourself out of being able to do what you need. Local
Group Policy can be opened via gpedit.msc and Local Security Policy via
secpol.msc. Though not really designed for domain computers the Shared
Computer Toolkit may do what you want and is worth a look at and then you
could use ntfs permissions to restrict what a user could run in the program
files folder. If you do use SCT you will lose the flexibility of local
Group Policy and more fine control of Software Restriction Polices. The
links below explain further. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Software Restriction Policies
http://support.microsoft.com/?kbid=310791 --- more SRP
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx --- Shared
Computer Toolkit
 
G

Guest

The features in the Shared Computer Toolkit are pretty much exactly what I
need since they restrict what users can launch and modify the Start Menu
accordingly. The problem with the utility is that users that login with their
domain account cannot be restricted.

Steven L Umbach said:
Ideally that would be best done at the domain level with Software
Restriction Policies and Group Policy restrictions found in user
configuration/administrative templates. You still can configure Software
Restriction Policies [assuming not enforced at the domain level] on that
computer and local Group Policy. By default SRP will apply to all users
other than local administrators but Group Policy will apply to all users.
You could configure Group Policy the way you want and then give your account
deny read permissions to the \Windows\system32\group policy\user folder and
then the GP will not apply to you but you would have to give yourself read
permissions to edit GP again. If you do configure local Group Policy be
careful to not lock yourself out of being able to do what you need. Local
Group Policy can be opened via gpedit.msc and Local Security Policy via
secpol.msc. Though not really designed for domain computers the Shared
Computer Toolkit may do what you want and is worth a look at and then you
could use ntfs permissions to restrict what a user could run in the program
files folder. If you do use SCT you will lose the flexibility of local
Group Policy and more fine control of Software Restriction Polices. The
links below explain further. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Software Restriction Policies
http://support.microsoft.com/?kbid=310791 --- more SRP
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx --- Shared
Computer Toolkit

Ethoss said:
My current problem is that I don't have administrator access to the domain
but I do have Admin access to the machine I need to restrict. Bascially I
have a list of domain accounts that can access the computer. (I already
know
how to restrict who can log in) What I need to do is only allow those
people
who I've allowed to login to run a few specified programs and they cannot
have access to control panel, display properties, etc.. Basically this is
going to be a terminal for a custom application that we have deployed.
Click to expand...
Click to expand...
 
G

Guest

How did you restrict domain users from signing into your local machine?
--
Ray Lee


Ethoss said:
The features in the Shared Computer Toolkit are pretty much exactly what I
need since they restrict what users can launch and modify the Start Menu
accordingly. The problem with the utility is that users that login with their
domain account cannot be restricted.

Steven L Umbach said:
Ideally that would be best done at the domain level with Software
Restriction Policies and Group Policy restrictions found in user
configuration/administrative templates. You still can configure Software
Restriction Policies [assuming not enforced at the domain level] on that
computer and local Group Policy. By default SRP will apply to all users
other than local administrators but Group Policy will apply to all users.
You could configure Group Policy the way you want and then give your account
deny read permissions to the \Windows\system32\group policy\user folder and
then the GP will not apply to you but you would have to give yourself read
permissions to edit GP again. If you do configure local Group Policy be
careful to not lock yourself out of being able to do what you need. Local
Group Policy can be opened via gpedit.msc and Local Security Policy via
secpol.msc. Though not really designed for domain computers the Shared
Computer Toolkit may do what you want and is worth a look at and then you
could use ntfs permissions to restrict what a user could run in the program
files folder. If you do use SCT you will lose the flexibility of local
Group Policy and more fine control of Software Restriction Polices. The
links below explain further. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Software Restriction Policies
http://support.microsoft.com/?kbid=310791 --- more SRP
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx --- Shared
Computer Toolkit

Ethoss said:
My current problem is that I don't have administrator access to the domain
but I do have Admin access to the machine I need to restrict. Bascially I
have a list of domain accounts that can access the computer. (I already
know
how to restrict who can log in) What I need to do is only allow those
people
who I've allowed to login to run a few specified programs and they cannot
have access to control panel, display properties, etc.. Basically this is
going to be a terminal for a custom application that we have deployed.
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Restricting logins on a XP computer 4
question on domain local machine permissions 1
limit who can use local machine 1
Do I need a Local admin account? 2
Adding domain account to local administrators... 3
Nesting domain groups under local groups 7
Restricting Client Logon's 3
Restricting access to a partition 2

Top