Re: User Policies

---

• From: "RG" <nobody@xxxxxxxxxxx>
• Date: Fri, 1 Aug 2008 00:14:04 -0400

---

Thanks a lot. This is perfect for me. In fact, as far as I can see, there is gpo for every occasion.

"Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OhYkc6s8IHA.1196@xxxxxxxxxxxxxxxxxxxxxxx

Howdie!

RG wrote:

Could somebody point me to a site where I could download sample group policies? Specifically, I am looking for a very aggressive group policy which a) doesn't alllow software installation or removal b) doesn't allow user to view registries c) doesn't allow user to view network configuration, etc...

There are sample configuration out there but I doubt there's a sample GPO that does exactly what you're trying to do. They're called "Group Policy Common Scenarios": http://www.microsoft.com/downloads/details.aspx?familyid=354B9F45-8AA6-4775-9208-C681A7043292&displaylang=en

For a) - take away those user's admin rights on the box. Only admin can install software that writes into the windows directory and portions of the registry. Only that can prevent people from installing that kind of software. Admins could, if they are smart enough, revert the changes you make with Group Policy anyway. For b) You can use Sofware Restriction Policies to prevent regedit and regedt32 from running, but I doubt you'll catch all kinds of registry browsers. I guess you'd have to take the user's "read" permissions on a large number of reg keys to get that working. What's so dangerous in looking at the registry? Even c) can't be done easily, I guess. For changing the net.config, they at least need to be "network operators" on the box. "Normal" users would only be allowed to view the settings. I'm not sure if you can restrict that really, but it would involve to prevent command line tools like ipconfig as well as the UI.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

.

---

• Prev by Date: Re: Group Policy won't update on workstation
• Next by Date: Re: Step by Step - how to create logon policy
• Previous by thread: Re: Group Policy won't update on workstation
• Next by thread: Re: Step by Step - how to create logon policy
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Moving from NT4 policy to Group Policy ... The mixed environment of Group policies and System policies ... policies which are permanently applied in the registry and Group Policy ... which is all documented by MS for non GPO ... (microsoft.public.windows.server.active_directory) Re: Apply registry setting. ... registry setting to the editor in Group Policy and allow you to manage it. ... GPOE and then managed on the GPO itself. ... diagnostic value called 'Replication Events' that can be turned on the ... (microsoft.public.win2000.group_policy) Re: Apply registry setting. ... Where exactly can I get the registry Client Side Extension. ... What I want to do is create a GPO to remove ... > ways to manage registry setting via Group Policy and they will almost ... (microsoft.public.win2000.group_policy) Re: Group Policy questions ... > overwritten by the Default Domain Group Policy. ... > the GPO yet and we have a few machines with locally set ... > special policies on them. ... When a machine joins the domain, is its local machine ... (microsoft.public.windows.server.active_directory) Re: Policies in Users OU dont process ... are not in the scope of the GPO when its linked lower. ... My problem is, at one of my sites, I can't get group policies to apply ... If I move it back to the Domain (root) folder, ... I ran a Group Policy Results query on a user and their ... (microsoft.public.windows.group_policy)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.group_policy  > 2008-08