Announcement

Collapse
No announcement yet.

Few Issues and Workarounds needed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Few Issues and Workarounds needed

    Well, I'm here to get help from you guys..!! I'm a technology passionate kinda person and I somehow got interested into learning the powers of Active Directory & GPO.

    I've been successful in Setting up a Windows 2003 Server with AD, DNS and DHCP Server. I know Windows does 90% of the job by itself. But still many people get scared when working around with them .

    Well I've a network of 10 PC's all running Windows 2000 and they will grow in time.. So I was planning to make everything automated. I've also applied GPO's to all the 10 PC's.

    All PC's have 40 GB HDD, they are using their own space for storing documents/files and etc.

    Problem 1:
    I want to block System Drive i.e. C: Drive, but making sure they have access to MyDocuments. Because I've tested that when you block access to C Drive from GPO; you cannot access MyDocuments, even a new folder created by you on desktop.

    So I was thinking it could be done like.. Changing the profile path to D: Drive, but that would require some kind of scripting .. and I'm really dumb at it. Scripting scares me. Any Suggestions ??
    Problem 2:
    I had managed to disable all the Hardware addition, probably.. Because they are simple users, so they don't have any access to add new hardware. But when I insert a pen drive / flash / usb drive, I can get access to it. So the users will easily be able to read/write the pen drive.

    Either I can block all the Drives using GPO, but then My Documents is also not accessible..!! Or if there's a way that users can only read from USB but not write or the best.. Block USB ..!! Any suggestions ??
    Problem 3:
    While I was setting up GPO's I realized that - If a user has a successful login onto a particular system and then on "one not so" fine day the DC or the Network goes down & then the user tries to Log-In.. he actually can.. because the OS Caches the username and passwords, I think..!!

    So, what could be the solution to this..!! If we want users should be able to log-in only if the DC is available...!! Any Suggestions ??

    Any kind of help will be appreciated. You can give me links.. some reading material or any damn thing that would help me I would like it.

    Thank you all..!!

  • #2
    Re: Few Issues and Workarounds needed

    Problem 1:
    What are you REALLY trying to accomplish? If they're just a user, they won't be able to make changes to important directories, e.g. Windows folder.

    Problem 2:
    http://www.petri.com/disable_usb_disks_with_gpo.htm

    Problem 3:

    Note: Why do you want to do this?

    http://www.microsoft.com/resources/d....mspx?mfr=true

    Interactive logon: Number of previous logons to cache (in case domain controller is not available)

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    Description
    Determines the number of times a user can log on to a Windows domain using cached account information.

    Logon information for domain accounts can be cached locally so that, in the event a domain controller cannot be contacted on subsequent logons, a user can still log on. This setting determines the number of unique users for which logon information is cached locally.

    If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message:

    A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.

    If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:

    The system cannot log you on now because the domain <DOMAIN_NAME> is not available.

    Default: 10.


    Note: Setting this value to 0 disables the local caching of logon information.
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Few Issues and Workarounds needed

      What are you REALLY trying to accomplish? If they're just a user, they won't be able to make changes to important directories, e.g. Windows folder.
      Well I thought, If I could access the Windows folders and other program files folders then I might be able to modify/create sub folders / files and even delete them ..who knows..!! Can we do that as a normal user ?? I've not tested them yet.. I'll do that and see...

      Also, there are important programs in the program files folder.. so can we modify them as a normal user ?

      Thank you very much wired.
      -----------------------------------------------------------------------------------------------------
      If you could help me with some articles on "Software Deployment in Managed Environment" any Step-by-Step guides available ?

      I want to install most of the Softwares like -
      - Adobe Acrobat Reader,
      - MS Office 2000/2003
      - IE 6
      - etc.

      I was also looking for help on RIS (Remote Installation Services). I wanted to deploy Windows 2000 from Single Place I mean if MS provides it why not use it

      I also wanted to ask, is it feasible to make a File Server & use screening service restricting them from uploading or sharing files like mpg, mov, exe, etc. after so much restrictions ?? there are no CD/DVD, restricted access to USB's (thanks to you) and much more... etc
      -----------------------------------------------------------------------------------------------------

      Well these are long-term plans.. so not in a hurry ..

      Comment


      • #4
        Re: Few Issues and Workarounds needed

        Definitely test it (I don't think our GP touches either folder, but I could be wrong), but I'm pretty sure the windows folder is not editable for users by default, pretty sure the same goes for the Program Files folder.
        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment

        Working...
        X