Re: Best way to lock down user profile on XP client?
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Thu, 29 Jun 2006 10:57:50 GMT
Hi Jerry,
You may also want to consider reading the following steps in regards this
issue:
We can configure the [User Configuration\Administrative
Templates\System\Don't run specified Windows applications] group policy to
restrict users from launching Internet Explorer. To do so, please perform
the following steps:
1. Open Server Management and then expand Advanced Management.
2. Expand Group Policy Management | Forest Domains | Server Name.
3. Right click the GPO you want to configure and select Edit.
4. Locate the [User Configuration\Administrative Templates\System\Don't run
specified Windows applications] group policy.
5. Double click this group policy, and select Enabled.
6. Locate the [Computer Configuration\Administrative Templates\System\Group
Policy\User Group Policy loopback processing mode] group policy, and enable
it.
7. Click Show -> Add, type iexplore.exe in the text box, and click OK.
8. Run the following Command line to refresh policy on both DC and client
computer.
Gpupdate /force
You can also find "Prevent access to the command prompt" from User
Configuration\Administrative Templates\System.
You can also refer to the following documents for more information:
323525 HOW TO: Restrict Users from Running Specific Windows Programs in
Windows
http://support.microsoft.com/?id=323525
How to lock down a Windows Server 2003 or Windows 2000 Terminal Server
http://support.microsoft.com/kb/278295
Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/downloads/details.aspx?familyid=7F272FFF-9A6E-40C7-
B64E-7920E6AE6A0D&displaylang=en
Also I provide the following Knowledge Base articles for more information:
231287 Loopback Processing of Group Policy
http://support.microsoft.com/?id=231287
260370 How to Apply Group Policy Objects to Terminal Services Servers
http://support.microsoft.com/?id=260370
By the way in Windows XP, there is a more powerful tool to lock down a
computer-Software Restriction policy. In a Windows 2003 domain, they can be
implemented using Group Policy (hence you can apply them to certain user
groups); on standalone systems, they can still play a role (they can be
configured to apply to all non-administrator users):
For more information, please see:
Using Software Restriction Policies to Protect Against Unauthorized Software
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
14 Reasons To Reconsider Software Restrictions
http://mcpmag.com/columns/rss.asp?editorialsid=690
Note: Software restriction policies do not apply when Windows is started in
Safe Mode Safe Mode. If you accidentally lock down a workstation with
software restriction policies, restart the computer in Safe Mode, log on as
a local administrator, modify the policy, run gpupdate, restart the
computer, and then log on normally.
Hope the information help and I look forward to your reply.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Best way to lock down user profile on XP client?
| thread-index: AcaZ+u0MlQA9atPGTR+fg72EsyQ8Rw==
| X-WBNR-Posting-Host: 66.12.54.37
| From: =?Utf-8?B?SmVycnk=?= <Jerry@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <68795F31-E139-4919-89B1-168DAFD6F805@xxxxxxxxxxxxx>
<#uiCT6TmGHA.4952@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Best way to lock down user profile on XP client?
| Date: Tue, 27 Jun 2006 08:04:02 -0700
| Lines: 29
| Message-ID: <DEE0A057-FCD1-48AC-A9A7-F0602B506E17@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:277714
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I am not sure of anything at this point Chris. But, I have been able to
work
| around that problem in the past by setting permissions on the associated
| application folder and registry keys.
| --
| Jerry
|
|
| "Cris Hanna (SBS-MVP)" wrote:
|
| > well certainly, you can use gpo's to do that,
| > The problem you will need to becareful of is the rights and permissions
required to run those applications
| > Are you sure that they don't require being local admin to run them?
| >
| > --
| > Cris Hanna [SBS-MVP]
| > --------------------------------------
| > Please do not respond directly to me, but only post in the newsgroup so
all can take advantage
| > "Jerry" <Jerry@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:68795F31-E139-4919-89B1-168DAFD6F805@xxxxxxxxxxxxxxxx
| > BSB 2003 Premium.
| >
| > I have several XP client pc's which are used to run operating
software for
| > pieces of industrial equipment. I would like to lock down the user
desktop
| > for the operators profile on these pc's based on user login. What
would be
| > the best way to do that? Is it possible to use a group policy and
assign it
| > to a perticular security group, or should I use a local policy on the
XP
| > client it self? What I want to do is remove access to the run line,
my
| > computer, internet explorer and the like.
| > --
| > Jerry
|
.
- References:
- Re: Best way to lock down user profile on XP client?
- From: Cris Hanna \(SBS-MVP\)
- Re: Best way to lock down user profile on XP client?
- Prev by Date: Re: trust relationship
- Next by Date: Re: Backing Up
- Previous by thread: Re: Best way to lock down user profile on XP client?
- Next by thread: Should you run Adprep durining business hours?
- Index(es):
Relevant Pages
|
