Windows 2000 Security Features

[DJ-phYre]

I am currently setting up workstations and creating an image for a ghost drive. I need to setup the computer where Administrators can change the settings but the users can't. I ran gpedit.msc but whenever I change the settings in there it would not work. How can I set this just for users. How can I set the restrictions strictly to users?

 

[Un4gIvEn1]

What do you wish to restrict? Please be VERY specific. "Settings" is not specific.

 

[DJ-phYre]

Well these machines are going to schools, so I want to restrict things such as all the tabs in IE, control panel access where the students can not change teh backgrounds, screensavers, powersaving options. Basically all the options that a student shouldn't be changing.

 

[Un4gIvEn1]

You can control most of those by using the Internet Explorer Admin Kit (IEAK). Just go to Microsoft and do a search. Powersaving options can not be changed by standard users, only administrators, so you should be good there.

 

[Enyo]

You want also to look at rights assignment (in the security policy) then be very specific with the settings you apply in group policy.

As your working on a local level you not going to be able to be very granular about which users or groups will be effected.

The settings under computer configeration will affect every user using the system unless the policy is overriden by a policy in active directory which is not the case here.

When working with settings under user configeration it will apply to the user whos account your logged on with, therefore you can manage the settings for each user, this of course takes more time.

I would suggest that if students will be using the local user accounts you create one local user account and setup the settings under user configeration in the local group policy that you require then instruct all users to use that same accounts.

Would this be acceptable or do all students require there own account?

Of course the less restritive way of doing this would be to user limited accounts, but that still provides alot of abilities you would not want users to have.

 

[Un4gIvEn1]

As a side note... If you do not know then this is important. Since you are using Ghost you will need to remove the SID from the image. If you build 2 systems off of the same image and they have the same SID and they are on the same network you WILL run into issues. GhostWalker I think is the name of the SID editor for ghost. You can use just about any SID remover. I think Microsoft even has one. It has been a long time since I have had to do this. I use RIS to do all of the images here at work.

 

[DJ-phYre]

All the machines have 2 users basicly... student and administrators. All the students login with the name "student" and the password, which is the same.

 

[Enyo]

Yes MS provide sysprep to do that.

How to use Sysprep with Ghost:

http://service1.symantec.com/SUPPORT/ghost.nsf/docid/2000081610075225

 

[Enyo]

Originally posted by DJ-phYre
All the machines have 2 users basicly... student and administrators. All the students login with the name "student" and the password, which is the same.

Then your good to go. Just concentrate on the settings under user configeration and make the required changes.

 

[Un4gIvEn1]

IEAK

http://www.microsoft.com/windows/ieak/downloads/ieak6/ieak6sp1.asp

 

[DJ-phYre]

Originally posted by Un4gIvEn1
As a side note... If you do not know then this is important. Since you are using Ghost you will need to remove the SID from the image. If you build 2 systems off of the same image and they have the same SID and they are on the same network you WILL run into issues. GhostWalker I think is the name of the SID editor for ghost. You can use just about any SID remover. I think Microsoft even has one. It has been a long time since I have had to do this. I use RIS to do all of the images here at work.

With the newest version of ghost this is not a problem. We have already done some machines and there were no problems. We are just wanting to lock down the students and leave the admins fully open.