Windows XP Group Policy

[Guest]

How do I utilize restrictions within XP similar to those available in 2000
(i.e. user restrictions). I have set up XP to load a specific application
and have restricted the user from accessing most applications, however when
the application is closed and they are brought to the blank main windows
screen they can still perform a Ctrl-Alt-Del and access the task manager.
With previous similar configurations in 2000 I was able to restrict the user
from accessing the Task Manager in this manner and only allow them to
shut-down or log off. How do I restrict this in XP and yet still allow for
the administrator to log on with full privleges? Running XP SP2.

 

[Malke]

How do I utilize restrictions within XP similar to those available in
2000
(i.e. user restrictions). I have set up XP to load a specific
application and have restricted the user from accessing most
applications, however when the application is closed and they are
brought to the blank main windows screen they can still perform a
Ctrl-Alt-Del and access the task manager. With previous similar
configurations in 2000 I was able to restrict the user from accessing
the Task Manager in this manner and only allow them to
shut-down or log off. How do I restrict this in XP and yet still
allow for
the administrator to log on with full privleges? Running XP SP2.

Pro or Home? With Pro, you set permissions the same way you did in
Win2k. With Home, you don't have as many options natively. You can use
Doug Knox's Security Console or the MS Shared Computer Toolkit.

How to disable Simple Sharing and set permissions on a shared folder in
Windows XP (Pro only)
http://support.microsoft.com/?kbid=307874

HOW TO: Set, View, Change, or Remove File and Folder Permissions in
Windows XP
http://support.microsoft.com/?kbid=308418

http://www.dougknox.com/
http://www.microsoft.com/windowsxp/sharedaccess/default.mspx

Malke

 

[Guest]

This would be applicable if I was attempting to restrict access to
files/folders. What I'm trying to do with my professional version is kind of
like a shell, I want the user to be automatically logged on when the computer
is started and taken to a specific application and only that application.
When the user wants to leave the application they may close it but can do
nothing else except Ctrl-Alt-Del which takes them to the task manager screen
(2000) or the windows security screen (XP). Once there the only option would
be for them to either shut-down windows or log-off. Once logged off the
administrator could log on with full access to all of the files and folders.
I was able to do this in 2000 but there doesn't appear to be an easy method
of doing it in XP.

 

[Malke]

This would be applicable if I was attempting to restrict access to
files/folders. What I'm trying to do with my professional version is
kind of like a shell, I want the user to be automatically logged on
when the computer is started and taken to a specific application and
only that application. When the user wants to leave the application
they may close it but can do nothing else except Ctrl-Alt-Del which
takes them to the task manager screen
(2000) or the windows security screen (XP). Once there the only
option would
be for them to either shut-down windows or log-off. Once logged off
the administrator could log on with full access to all of the files
and folders. I was able to do this in 2000 but there doesn't appear to
be an easy method of doing it in XP.

Sure you can do this. Set up users/groups with restrictions with Group
Policy. You can create a default user profile and make this the
mandatory profile or just image your ideal setup to other computers.

Set program access and defaults:
http://support.microsoft.com/?kbid=332003
http://support.microsoft.com/?kbid=820291

For questions about using Group Policy, post here:
microsoft.public.windows.group_policy

Create an XP Pro Mandatory User Profile on the Local Machine
http://www.tweakxp.com/article139898.aspx

How To Assign a Mandatory User Profile in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307800&sd=tech

If a server is involved, you might want to include a server newsgroup in
a crosspost with the group policy group.

microsoft.public.windows.server.general
microsoft.public.windows.server.sbs

Malke

 

[Steven L Umbach]

If your computer or computers are not members of an Active Directory domain
I suggest that you take a look at the free Shared Computer Toolkit from
Microsoft that may be able to do much of what you want or at least severely
restrict non privileged users. Shared Computer Toolkit from Microsoft takes
advantage of many Group Policy type restrictions for a user that does not
need to affect other user accounts. Otherwise if you are using XP Pro you
can use Software Restriction Policies that can restrict what non
administrators can run and install on the computer usually with path and
hash rules and a default disallowed or unrestricted security level. If you
try SRP keep in mind that .lnk shortcuts are considered restricted by SRP by
default and you will find checking the application log helpful when trying
to tweak SRP rules. --- Steve

http://www.microsoft.com/windowsxp/sharedaccess/default.mspx --- Shared
Computer Toolkit
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- Software Restriction Policies
http://www.jsifaq.com/sube/tip2400/rh2492.htm --- how to filter local
Group Policy via NTFS permissions

 

[Guest]

The utility was very helpful. I restricted the user right down to nothing
and then went to configure auto login and starting into a specific program
which caused what I believe are unrelated errors. When I attempted to log
off it would do nothing, and I would assume this was due to the fact that the
task manager was restricted. How do I allow access to or force a log off
when exiting from a program?

 

[Steven L Umbach]

I would try using Control-Alt-Delete to see if it allows logoff. I suppose
you could also create desktop shortcut to the logoff command. --- Steve