Re: Lock down certain machines

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 01/19/05 

Date: Tue, 18 Jan 2005 19:33:11 -0500

Gino,

There are a couple of ways.

I might take a look at the Restricted Groups GPO that will be part of the
solution. The MSKB Articles of interest are:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

I would also take a look at the locking down the systems via GPO. Here is a
link ( yes, it is aimed at Terminal Server but the concepts apply to
workstations as well ):

http://support.microsoft.com/?id=278295
http://support.microsoft.com/?kbid=315675

You can also use NTFS permissions to further assist you.

I would test this in a lab environment. I know that I do some things a bit
differently in regards to 278295. Find what works for you and your
environment. 

-- 
Cary W. Shultz
Roanoke, VA  24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Gino" <Gino@discussions.microsoft.com> wrote in message 
news:498FAA47-3BF5-4142-9F1A-12A7E0406DA8@microsoft.com...
> Our Executive Director has asked me to lock down the computers in one of 
> our
> departments so the users can't install or change anything on their 
> computer.
> I made sure the users did not have admin rights, but they still seem to be
> able to install screen savers, file sharing programs, etc. Can I lock them
> down with group policies? Can someone recommend a good starting point for
> learning how to implement them for certain users or machines? We use win2k
> pro workstations and a win2k server domain controller. Thanks.