lock down xp

[Jay Simmons]

Hi all! We're finally getting rid of 80+ Win 98SE
computers (VERY OLD PC's). We are deploying XP pro. We
connect to our own domain server as well as several other
servers (Exchange, etc...). Can anyone direct me to a
document that can give me a bit of instruction on how to
deploy these so that they are properly locked down? I
want to avoid a nightmare like I've had with 98. Way too
many users are installing software, downloading stuff off
the Internet, etc.. Any help would be GREATLY
appreciated!

Thanks!
Jay

 

[Karl]

setup each pc 1st with the apps that they must use
add the users, printers, and network shares

If you can, create the users as RESTRICTED users so that they have min.
effect on the PC's. Be careful that some apps need special permissions in
order to be useable (I.E. Some apps need to modify the registry in order to
be used)

If that is the case, you have a few options. There are tools out there that
will allow you use use the app on a restricted user account, just not sure
of the names..., You could use the RUNAS command but I think that will store
the password in a text file of the account that has admin right, which you
do not want

Maybe someone from MS has a clearer picture?

 

[Robert Moir]

Hi all! We're finally getting rid of 80+ Win 98SE
computers (VERY OLD PC's). We are deploying XP pro. We
connect to our own domain server as well as several other
servers (Exchange, etc...). Can anyone direct me to a
document that can give me a bit of instruction on how to
deploy these so that they are properly locked down? I
want to avoid a nightmare like I've had with 98. Way too
many users are installing software, downloading stuff off
the Internet, etc.. Any help would be GREATLY
appreciated!

Assuming you have windows 2000 or windows 2003 server you can lock down the
workstations and set things how you want centrally with group policies...

http://www.microsoft.com/downloads/...7b-ef65-4ccf-9d00-89d6ae428edc&displaylang=en

 

[Roger Abell [MVP]]

Jay,

Basically what you may want to do is to take a machine,
install XP and updates for XP and hardware, take an
image at this point, then install the software that is to
be available. Next, test all software as a plain user.
Some apps will need for use to use the application
compatibility toolset if they are quite old. Other apps
will need you to loosen permissions, usually on their
installation directory, but sometimes on an ini file in
the system dir, sometimes on a temp det who knows
where. Also, it is not uncommon for non Windows
certified apps to want to write to the registry where
they have no business, so you then need to loosen
permissions on the reg key and its subkeys/values
(usually this is in hklm\software\vendorname) so that
Users group has heightened permissions.

OK, in theiry at that point you have determeined that
people can do what they need with only what you want
them to have. So, you need to decide how to deploy
this. Look into using RIS for the number of machines
that you indicate, and look into using Group policy to
distribute the software. You need to start becoming
familiar with group policy anyway, as that is where it
all is at in domain management. You should consider
getting SUS (software update service) installed so that
you can point all the machines at it in order to keep them
up-to-date with what gets released at Windows Update.

Welcome to the world of centralized management.
It is good that you asked, as just jumping in an trying
is definitely not the way to go about things. Time spent
planning and starting out right will repay itself many,
many times over.

(ps. check out the Management area in the IT Pro doc
at mcirosoft.com/windows2000 and now also in the
windowsserver2003 area)
Good luck,
Roger

 

[Jay Simmons]

WOW! Thanks for all the GREAT replies! I really
appreciate the help!!! I'll get to work on it all right
now...

Thanks again!
Jay