Windows 2000 Security Features

Discussion in 'Windows Desktop Systems' started by DJ-phYre, Jun 18, 2003.

  1. DJ-phYre

    DJ-phYre To whom it may concern

    Messages:
    135
    Location:
    Monroe, LA
    I am currently setting up workstations and creating an image for a ghost drive. I need to setup the computer where Administrators can change the settings but the users can't. I ran gpedit.msc but whenever I change the settings in there it would not work. How can I set this just for users. How can I set the restrictions strictly to users?
     
  2. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    What do you wish to restrict? Please be VERY specific. "Settings" is not specific.
     
  3. DJ-phYre

    DJ-phYre To whom it may concern

    Messages:
    135
    Location:
    Monroe, LA
    Well these machines are going to schools, so I want to restrict things such as all the tabs in IE, control panel access where the students can not change teh backgrounds, screensavers, powersaving options. Basically all the options that a student shouldn't be changing.
     
  4. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    You can control most of those by using the Internet Explorer Admin Kit (IEAK). Just go to Microsoft and do a search. Powersaving options can not be changed by standard users, only administrators, so you should be good there.
     
  5. Enyo

    Enyo Moderator

    Messages:
    1,338
    You want also to look at rights assignment (in the security policy) then be very specific with the settings you apply in group policy.

    As your working on a local level you not going to be able to be very granular about which users or groups will be effected.

    The settings under computer configeration will affect every user using the system unless the policy is overriden by a policy in active directory which is not the case here.

    When working with settings under user configeration it will apply to the user whos account your logged on with, therefore you can manage the settings for each user, this of course takes more time.

    I would suggest that if students will be using the local user accounts you create one local user account and setup the settings under user configeration in the local group policy that you require then instruct all users to use that same accounts.

    Would this be acceptable or do all students require there own account?

    Of course the less restritive way of doing this would be to user limited accounts, but that still provides alot of abilities you would not want users to have.
     
  6. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
    As a side note... If you do not know then this is important. Since you are using Ghost you will need to remove the SID from the image. If you build 2 systems off of the same image and they have the same SID and they are on the same network you WILL run into issues. GhostWalker I think is the name of the SID editor for ghost. You can use just about any SID remover. I think Microsoft even has one. It has been a long time since I have had to do this. I use RIS to do all of the images here at work.
     
  7. DJ-phYre

    DJ-phYre To whom it may concern

    Messages:
    135
    Location:
    Monroe, LA
    All the machines have 2 users basicly... student and administrators. All the students login with the name "student" and the password, which is the same.
     
  8. Enyo

    Enyo Moderator

    Messages:
    1,338
  9. Enyo

    Enyo Moderator

    Messages:
    1,338
    Then your good to go. Just concentrate on the settings under user configeration and make the required changes.
     
  10. Un4gIvEn1

    Un4gIvEn1 Moderator

    Messages:
    1,084
  11. DJ-phYre

    DJ-phYre To whom it may concern

    Messages:
    135
    Location:
    Monroe, LA
    With the newest version of ghost this is not a problem. We have already done some machines and there were no problems. We are just wanting to lock down the students and leave the admins fully open.