Re: Designing restrictive GPO
From: John Noitargim (johnny_at_nospam.com)
Date: 07/14/04
- Next message: Nathan: "Redirected My documents performance is poor"
- Previous message: Jim Singh: "Re: How to properly remove a crashed DC from AD"
- In reply to: Tim Springston [MSFT]: "Re: Designing restrictive GPO"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 14 Jul 2004 16:39:13 +0100
~Thanks Tim,
spot on.
J
"Tim Springston [MSFT]" <tspring@online.microsoft.com> wrote in message
news:%23ghN47aaEHA.2944@TK2MSFTNGP11.phx.gbl...
> Software Restriction policies are definetly the way to go. You would want
> to create a GPO and link it to the container the machines reside in (such
as
> OU=Workstations).
>
> The setting is located in GPEDIT.MSC by navigating to Computer
> Configuration->Windows Settings->Security Settings->Software Restriction
> Policies. You can 'disallow' applications from running there.
>
> Incedentally, Server 2003 gives some additional enhancements to these
> settings, including the use of a hash based Software Restriction setting
so
> that no matter the name or location of the application it will not run
since
> the hash matches one that is disallowed.
>
> Please repost if you have any additional questions or concerns.
>
> --
> Tim Springston
> Microsoft Corporation
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:u%23QxfQRaEHA.2812@TK2MSFTNGP11.phx.gbl...
> > If you only wish to allow some applications I would use the only allow
> these
> > applications user setting. I've successfully used this when I seriously
> > wanted to lock stuff down. Only add the file name though - not the
path.
> >
> > If you just want to block freecell.exe, etc there's the opposite
option -
> > don't allow these applications. Although if a user renames a file it'll
> > beat that simple policy. If you've XP boxes there's also Software
> > Restriction policy, but I've yet to use that (too many legacy clients
> where
> > I'm not at ;-))
> >
> > --
> >
> > Paul Williams
> > _________________________________________
> > http://www.msresource.net
> >
> >
> > Join us in our new forums!
> > http://forums.msresource.net
> > _________________________________________
> >
> >
> > "Johnny Noitargim" <jm@nospamplease.com> wrote in message
> > news:40f439dc$0$39758$ed2e19e4@ptn-nntp-reader04.plus.net...
> > Hi everyone,
> >
> > I am trying to find a way to restrict my users' access to their
> accesories,
> > games, etc. (I only need to keep selected few apps like calculator there
> for
> > them)
> >
> > I need to find a way of achieving this via GPOs rather that registry
> > editing...
> >
> > I am using Win2k server with win2k clients.
> >
> > Many thanks,
> >
> > J.
> >
> >
> >
> >
>
>
- Next message: Nathan: "Redirected My documents performance is poor"
- Previous message: Jim Singh: "Re: How to properly remove a crashed DC from AD"
- In reply to: Tim Springston [MSFT]: "Re: Designing restrictive GPO"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
