Designing restrictive GPO

  • Thread starter Thread starter Johnny Noitargim
  • Start date Start date
J

Johnny Noitargim

Hi everyone,

I am trying to find a way to restrict my users' access to their accesories,
games, etc. (I only need to keep selected few apps like calculator there for
them)

I need to find a way of achieving this via GPOs rather that registry
editing...

I am using Win2k server with win2k clients.

Many thanks,

J.
 
If you only wish to allow some applications I would use the only allow these
applications user setting. I've successfully used this when I seriously
wanted to lock stuff down. Only add the file name though - not the path.

If you just want to block freecell.exe, etc there's the opposite option -
don't allow these applications. Although if a user renames a file it'll
beat that simple policy. If you've XP boxes there's also Software
Restriction policy, but I've yet to use that (too many legacy clients where
I'm not at ;-))

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Hi everyone,

I am trying to find a way to restrict my users' access to their accesories,
games, etc. (I only need to keep selected few apps like calculator there for
them)

I need to find a way of achieving this via GPOs rather that registry
editing...

I am using Win2k server with win2k clients.

Many thanks,

J.
 
Software Restriction policies are definetly the way to go. You would want
to create a GPO and link it to the container the machines reside in (such as
OU=Workstations).

The setting is located in GPEDIT.MSC by navigating to Computer
Configuration->Windows Settings->Security Settings->Software Restriction
Policies. You can 'disallow' applications from running there.

Incedentally, Server 2003 gives some additional enhancements to these
settings, including the use of a hash based Software Restriction setting so
that no matter the name or location of the application it will not run since
the hash matches one that is disallowed.

Please repost if you have any additional questions or concerns.
 
~Thanks Tim,

spot on.

J


Tim Springston said:
Software Restriction policies are definetly the way to go. You would want
to create a GPO and link it to the container the machines reside in (such as
OU=Workstations).

The setting is located in GPEDIT.MSC by navigating to Computer
Configuration->Windows Settings->Security Settings->Software Restriction
Policies. You can 'disallow' applications from running there.

Incedentally, Server 2003 gives some additional enhancements to these
settings, including the use of a hash based Software Restriction setting so
that no matter the name or location of the application it will not run since
the hash matches one that is disallowed.

Please repost if you have any additional questions or concerns.
Click to expand...
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO 1
Question on GPO w/ Term Svcs 1
Win2k3 AD OU/GPO Design Discussion 1
How to Remove Software Restriction? 4
How do I configure an automatic Logon with GPO? 2
Registry-based GPO for IE6 SP1 on Win2K 6
Group Policy as "preference" does not apply 2
GPO Problems 3

Back
Top