Announcement

Collapse
No announcement yet.

lock down WIN XP

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • lock down WIN XP

    Hello.
    I have 12 client computers, windows XP SP2 based. I need to create some policy for USER account that locks down all options on specific computer for this USER.
    I mean-when USER logged in to this desktop PC, only 1 or 2 shortcuts on the desktop he will see. No "My computer", no " My docs" etc...
    I want to prevent from this USER changing anything on the PC. CTRL+ALT+DEL also needs to be disabled.

    How can I do this?

    Thank you.

  • #2
    Re: lock down WIN XP

    I presume you have a Server 2003 or SBS2003 domain controller serving these clients? If so, I advise you to take a look at the Microsoft "Common Scenarios" GPOs which are a set of pre-built GPOs that provide for different levels of lockdown, some are very severe indeed. Instructions are here and the GPOs can be downloaded here and you have to install them by running the batch file "CreateCommonScenarios.cmd". This will create a tree of OUs with GPOs linked to those OUs. For example, the "Kiosk" scenario only allows one application to run - in this case it's Internet Explorer, but you can add to this by adding other applications or loosening the restrictions. It is a good starting point to have the pre-built scenarios to start from, then you can add or remove the settings to suit yourself rather than reinventing the whole thing from scratch.

    If all you do is put a user in an organisatinal unit that is subjected to the "CS - Highly Managed (User)" GPO, you will see how restricted that user is. Then you can play with the GPO which does a lot of the work and tweak it to your needs.

    Doing this showed me a lot about what can be done with GPOs and helped me to lockdown workstations.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: lock down WIN XP

      Thank you for your answer.
      I'm new in this. I need to learn a lot before trying this.
      Yes - you are wright, I have windows 2003 ENT. And all clients are connected to the server. But function of this server is not Active Directory. So I'm not shure that I can implement this GPO on this mashine. (I'm not shure that I know how to do this, and how to install GPO's on the server and use it on the Client PC).
      I will be more than thanksfull If you can direct me where to read how to do this.

      In additional, can I configure stand alone Windows OS to restrict all for USER, and to leave only 1 or 2 shurtcuts on the desktop? Without GPO's,and without SERVER.

      Thank you

      Comment


      • #4
        Re: lock down WIN XP

        Without knowing about GPO and Active directory, you will have some difficulties because the Active Directory and GPO tools are the best for achieving what you want to do.

        But I have a simple idea which is an alternative way to block a lot of unwanted activity on an XP computer: simply disallow the use of the Start button. Combined with disabling the right click on the desktop, when a user has a desktop with no start button and no right-click on desktop, you have blocked a lot of activity. (It is not perfect, but GPO/Active directory is the proper way to do it).

        Firstly, put the shortcuts you want to use on the All Users desktop.

        So, to hide the start button: search Google for exactly this phrase (including the quote marks): "hide start button" windows xp

        To stop right click on desktop: search Google for this phrase: disable right click on desktop

        This will certainly get you started. Just make sure that when you log on as Administrator, the start button is not hidden - you do this by putting the hide start button program in the Startup group of each of the local users except the Administrator. Most of these "Hide Start Button.exe" programs also have a way to show the start button as well - put the show start button method in the startup group of the Administrator account. Just make sure you do not lock yourself out!
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: lock down WIN XP

          Thank you for reply.
          I have on the PC 2 users: ADMINISTRATOR (has all privileges), and USER (limiter user account).
          I tried to use "gpedit.msc" (group policy). Here I can make a lot of changes in "User Configuration".
          But there are some strange fact: all changes I making in the policy - cause changes for both 2 user accounts, ADMIN and USER. But I want to make changes for USER account only.
          Is it possible?

          Comment


          • #6
            Re: lock down WIN XP

            Local policies apply to ALL users on the computer. What you are seeing is correct, all users will be affected by the local policy you set.

            There is a very clever workaround for this, but it is complicated, and we have our good man JeremyW to thank for the wisdom here. See http://forums.petri.com/showthread.php?p=50948 for a way to apply a local policy to a specific group of users. I did not suggest that way because you may feel it is too complex - I like to use use simple ways that did not involve policy. But it is nice to know how to do it for those times when you need to get complicated.

            The best way is to use GPO in Active Directory. You have not got that, so I suggest you do not use local policies. I suggest you use simple methods (like the ones I have suggested) instead. It's up to you, of course, but I always try to keep things simple, because it is easier to understand, fix and edit simple things.
            Best wishes,
            PaulH.
            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

            Comment


            • #7
              Re: lock down WIN XP

              Thanks for your answers, but I have no choise but to use local policies, because this computers has no connection to the AD.

              Comment


              • #8
                Re: lock down WIN XP

                I understand you have no connection to AD. That is why I gave you alternative methods of doing things, so you do have a choice. Either use Jeremy's method of applying a local policy to a specific group of users, or use other tools such as those I have shown you. The choice is yours, but you do have a choice. Good luck and best wishes,
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment

                Working...
                X