I think what you're after is "make it difficult for anyone outside the
Accounting group to get to an Explorer desktop or command prompt on any of
these accounting computers"?
While it's fun (?) to try to find all the permissions that would have to be
removed/restricted on a Windows PC, the more efficient way to manage this
kind of control is using Group Policy to restrict the logon-related
Privileges. Try this:
- Open a Group Policy object that only targets these Accounting PCs (or
create a new one)
-- Note: you can limit the scope of a Group Policy object using just the OU,
using a Security group to limit the "Apply Group Policy" permission on the
GPO, or using a WMI filter on the GPO. GPMC probably has more details on
this.
- Select Computer Configuration > Windows Settings > Security Settings >
Local Policies > User Rights Assignment
- Make sure you have a Security group defined in Active Directory that
*only* contains user accounts that should be able to logon to the accounting
PCs
- double-click the "Log on Locally" entry in User Rights Assignment and Add
the security group you have for those users. [You may want to also add a
group for the IT administrators or anyone else in IT-land that might need
logon rights to these PCs.]
This should have the intended effect.
If you'd like to really button things down against malicious people, you
could do things like:
- add an Active Directory group (containing the "malicious people") to the
user right "Deny logon locally"
- add the group of legitimate users to the "Access this computer from the
network" user right - but be careful - this will restrict who can access
shares that are made available from these PCs and many other "remote access"
capabilities
- add the "malicious users" group to the user right "Access this computer
from the network" (same caveat applies)
- add the group of legitimate users to the user right "Allow logon through
Terminal Services" to restrict Remote Desktop access as well - but watch out,
this could also wipe out the default access rights granted to the members of
the computers' local "Administrators" and "Remote Desktop Users" groups.
- add the "malicious users" group to "Deny logon through Terminal Services".
Hope this helps.