OT: Win2k group policy

Discussion in 'General Discussion' started by Koolvin, Jan 10, 2003.

  1. Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202
    I am setting some machines up at work and I need to lock them down because they are going to be public access terminals (surfing the net).

    The machines are Win2K Pro and they are part of a workgroup not a domain.

    I messed around with the group policy editor but it affects all users including Admin user and I locked myself out already!

    anyone come up with any solutions? The only snag is it has to be done with Win2k or free software as my work are stinge *****
     
  2. Sp!ke

    Sp!ke Administrator Staff Member

    Messages:
    12,234
    Joined:
    Jun 2, 2002
    Location:
    West London
    Car:
    SL500 & The Fart Car
    What are you trying to restrict?
     
  3. OP
    OP
    Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202
    everything really! apart from IE.
     
  4. Sp!ke

    Sp!ke Administrator Staff Member

    Messages:
    12,234
    Joined:
    Jun 2, 2002
    Location:
    West London
    Car:
    SL500 & The Fart Car
    Create a new group of users (not the same one as Administrator account) and then use the Policy Editor on that group.
     
  5. GrahamC230K

    GrahamC230K MB Club Veteran

    Messages:
    9,830
    Joined:
    Jul 14, 2002
    Car:
    Audi A3 & S4 quattro
    Like I said earlier (those not on MSN Messenger only have yourselves to blame!!!) I am not really up on GPO's as I have always dodged them so far!


    If you want a quick and easy solution, you could perhaps just lock down a single profile with TweakUI?

    Or have a mandatory profile - peeps may be able to change stuff, but only until they log off.


    If it's public access though, you had better do it properly!
     
  6. VikJ

    VikJ Hardcore MB Enthusiast

    Messages:
    223
    Joined:
    Jan 2, 2003
    Location:
    Peterborough, Cambs.
    Car:
    2014 W246 B180CDi AMG Line Premium
  7. OP
    OP
    Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202
    I know how to use group policy, but the problem is any changes affects all the users including ADMIN.

    I need it to affect all useres EXCEPT admin.
     
  8. GrahamC230K

    GrahamC230K MB Club Veteran

    Messages:
    9,830
    Joined:
    Jul 14, 2002
    Car:
    Audi A3 & S4 quattro
    Your not applying it to the "Everyone" group are you?


    I am hiding! :eek:
     
  9. OP
    OP
    Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202

    er there is no 'everyone' setting
     
  10. Dave Elcome

    Dave Elcome Hardcore MB Enthusiast

    Messages:
    216
    Joined:
    Jun 1, 2002
    Location:
    Maidstone, Kent.
    Car:
    300TE
    Sorry, just stumbled into a foreign land:bannana: :bannana:
     
  11. GrahamC230K

    GrahamC230K MB Club Veteran

    Messages:
    9,830
    Joined:
    Jul 14, 2002
    Car:
    Audi A3 & S4 quattro
    Sorry, NetWare always comes back to get me!

    Users, then or whatever the common group is.
     
  12. OP
    OP
    Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202
  13. Big Ed

    Big Ed Hardcore MB Enthusiast

    Messages:
    283
    Joined:
    Jul 16, 2002
    Location:
    Bucks
    Car:
    BMW X5 4.8is
    Try either denying access to the GPO for Admin users (if they don't have permissions to run it then it shouldn't apply to admins), or if you are currently using the default domain GPO, try alternatively putting all the users that you want the GPO to apply to in a dedicated OU and put the admins in a different OU that is not downstream from the users OU. Create a GPO on the users OU that creates the restrictions you want.

    Good luck!!
     
  14. OP
    OP
    Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202
    Did I mention th emachines were FAT32?
     
  15. Big Ed

    Big Ed Hardcore MB Enthusiast

    Messages:
    283
    Joined:
    Jul 16, 2002
    Location:
    Bucks
    Car:
    BMW X5 4.8is
    I've just re-read your message and noticed you mentioned that this was for a workgroup - sorry, I've a bit of tunnel vision on Active Directory at the moment!!

    to lock this down without using an AD domain just follow the (rather long) approach in MS Technet article Q293655 - this goes through the way to change admin accounts back to full functionality.

    I can't see that using FAT32 would give you any problems from a policy viewpoint, however it would be easier for people to boot from a floppy and break things from a command prompt - any reason why you're not using NTFS?
     
  16. OP
    OP
    Koolvin

    Koolvin Administrator Staff Member

    Messages:
    10,058
    Joined:
    Jun 1, 2002
    Location:
    Staines
    Car:
    W168, W169 & S202
    there isnt any sensitive info on the hard drive, the pre-loader from factory was on fat32 and we couldnt be bothered to make a new image on NTFS.

    we just need standard users to run IE thats all. the admin acount is there for future proof and running virus updates and windows updates.
     
  17. Big Ed

    Big Ed Hardcore MB Enthusiast

    Messages:
    283
    Joined:
    Jul 16, 2002
    Location:
    Bucks
    Car:
    BMW X5 4.8is
    Fair play - I'm just a bit security fixated (designing systems for the MoD does that to you):bannana: :bannana:

    Hope the MS approach to GPEdit works - if you get locked out from all your machines then blame Bill Gates, not me:D
     
  18. Sp!ke

    Sp!ke Administrator Staff Member

    Messages:
    12,234
    Joined:
    Jun 2, 2002
    Location:
    West London
    Car:
    SL500 & The Fart Car
    If you are just worried users are gonna screw things up, you could use Go-Back from Roxio.

    You can set it so that everytime the machine is booted up it will automatically recover the machine back to how it was before the last user used it. It will delete *all* evidence that the user had ever even logged on let alone created or downloaded anything.

    Its mega cheap, lets the users bugger around without being able to screw things up and has worked for us in a similar fashion (laptops at exhibitions) for ages now. Works in XP & W2k and can be picked up for less than a tenner a copy now :rolleyes:
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.