desktop lockdowns

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi, new to these forums...

looking for some info please.

I have a XP laptop that is stand alone. I have an administrator account
installed and also a default customised profile setup for all users who log
on. However they can still change settings and screw the laptop up.

Im trying to create a custom user group ( that would be selectable like
user, power users, restricted, administrator etc ) that would use something
like group policy, but locally to let me restrict things like changing the
desktop, adding programs, being able to see the control panel etc for all
users that log on ( except me ). This looks like it can be done with group
policy but Im not sure how to implement it.

I've tried the knowledge base but dont really know what to ask , something
to do with templates me thinks

Thanks guys
 
Hi AmyAmandaAllen,

The quickest answer is to point you to your help files. "START" then Help
and Support". Do a search for "guest account" , turn on the Guest account.
Then open "User Accounts" in control pannel and click on "Change the way
users log on or off" Change this setting so you end up with a set of icons on
the Welcome screen. Next, make sure you password protect every account except
the Guset account. Next I would recoment a help search on "display security
tab", look for the search result titled "Display the Security Tab", follow
the instructions, then set security permisions on things like installed
printers etc. Lastly a Help serach on "user restriction" will give you some
good advice and instruction on how to further tighten system security.
Hope this helps!
 
Group policy is something that is most effective in a domain.
While you can use it on a standalone machine, the downside is
that by default the settings apply to all users. It's possible to
exempt individual users and/or groups from policies set in the
User Configuration section of the local group policy but it's not
an easy procedure. If done incorrectly there's a small chance
that you could lock yourself out of the computer.

Here are some articles that might be helpful.

Lockdown by group using Local Computer Policy without Active
Directory:
http://tinyurl.com/687jj

This applies to XP as well as Win2K:
http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Local Group Policy in a workgroup:
http://www.theeldergeek.com/gp07.htm

Here's an alternative to using Group Policy:

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

You might want to consider using this program first. If it
doesn't give you enough options then consider making changes to
the local group policy. If you decide to go the GPO route, post
back if you have questions on individual policies.
 
Thanks for replys

Having had a look around I did later realise that it was domain based as a
standalone only has 2 types of account.

Any idea how to make a default user profile on a xp machine that is part of
a network, that can be locked down alot more? or how to make a new account
type |( eg like power user that can be saved and run soon as my users log on
to their pc's?

Tahnks alot
 
Seeing as a domain is involved, this is a question you should
probably post to one of the server newsgroups. The people who
answer questions there have a lot more experience dealing with
these issues.

That said, here's my advice. Get a trained professional to set
this up for you. The money you save doing it yourself will cost
you more time, effort and energy than it is worth.

You might want to read these articles to get an idea of some of
the things you would have to do in order to accomplish your
goals:

Create a default user profile that you can use as a template.
http://support.microsoft.com/?kbid=319974

Create mandatory user profiles on your server.
http://support.microsoft.com/?kbid=307800
 
Hi,

Im fine setting up default user profiles.

Im one of the system admins for my company, so would like to get a better
understanding of the proceedure. The question was originally posted in
respect of a spare laptop which is just reinstalled but I dont want it coming
back each time with scooby doo backgrounds, spyware installed etc.

Also going to attempt to take the MCP at some point so trying to patch any
areas that Im weak on before I do.
 
Sorry for the misunderstanding. Often, questions will be posted
by people who are in way over their heads. They're trying to
solve a problem they're ill prepared to confront.

Since that's not your situation, let's see if we can prevent that
laptop from being Scooby Doo'd.

If you're users have local accounts on the laptop then you might
want to take a look here:

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

Experiment with this program. If it helps you keep that laptop in
shape, then consider getting your company to purchase the
licensed version. Beats having to do a reinstall every time your
users trash it.

If this is not an option, then you're going to have to rely on
the local group policy. Here's how:

First off, since you've said you're fine with setting up the user
profiles, I'm going to assume that you've already done that.
Next, run gpedit.msc to launch the local group policy editor.
Navigate to the User configuration section. There are hundreds of
individual policies for Users that you can enable. You're mission
is to find the right ones. For starters, try enabling this one:

Administrative Templates\Control Panel\Display
Prevent changing wallpaper

Right click on the entries in the right hand pane and select the
Explanation tab to gain some insight on what effect enabling a
policy will have.

Once you've made all the changes, close the group policy editor.

In order to make sure that these policies do not effect members
of the Administrators group, do the following:
Make sure that simple file sharing has been disabled on the
laptop.
Find C:\Windows\System32\GroupPolicy folder. Note: Since you may
have to access this folder often, create a shortcut to it on your
desktop.
On the folder's Security tab, add the Administrators group and
make sure they have the Read permission, and ONLY the Read
permission, set to Deny.
Log off and log back on with one of your user accounts, see if
the policies that you enabled are in effect and that they
accomplish your goal. If not, log back on as an administrator and
make the necessary changes to the local group policy. Make sure
you remove the Deny Read permission from the GroupPolicy folder
before launching gpedit. Put them back on when you're done.

Here's a reference to this procedure:
http://www.theeldergeek.com/gp07.htm
Keep in mind, this only works for policies in the User
Configuration section.

You can download a spreadsheet from MS that lists all the group
policy settings that can be applied to Windows XP:
http://www.microsoft.com/downloads/...c0-19b9-4acc-b5be-9b7dab13108e&DisplayLang=en

Post back if you have any questions.
 
Thanks for all your assistance....should help loads

I shall have a play with the info tomorrow when I can get my hands on the
laptop again.

AAA
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to Run Windows Remote Desktop only once 1
Wifi Network Issue 0
A Few Group Policy Questions 1
IPad Multiple Users 0
Desktop Lockdown 1
Change restricted user's default screensaver timeout, how?? 12
Controlling access to MSTSC.exe 6
DNS Lockdown?? 1

Back
Top