OT: Win2k group policy

Koolvin

Administrator
Staff member
Joined
Jun 1, 2002
Messages
9,729
Location
Staines
Car
W168, W169 & S202
I am setting some machines up at work and I need to lock them down because they are going to be public access terminals (surfing the net).

The machines are Win2K Pro and they are part of a workgroup not a domain.

I messed around with the group policy editor but it affects all users including Admin user and I locked myself out already!

anyone come up with any solutions? The only snag is it has to be done with Win2k or free software as my work are stinge *****
 

Sp!ke

Administrator
Joined
Jun 2, 2002
Messages
11,968
Location
West London
Car
SL500 & The Fart Car
What are you trying to restrict?
 

Sp!ke

Administrator
Joined
Jun 2, 2002
Messages
11,968
Location
West London
Car
SL500 & The Fart Car
Create a new group of users (not the same one as Administrator account) and then use the Policy Editor on that group.
 

GrahamC230K

MB Enthusiast
Joined
Jul 14, 2002
Messages
9,755
Car
Audi A3 & S4 quattro
Like I said earlier (those not on MSN Messenger only have yourselves to blame!!!) I am not really up on GPO's as I have always dodged them so far!


If you want a quick and easy solution, you could perhaps just lock down a single profile with TweakUI?

Or have a mandatory profile - peeps may be able to change stuff, but only until they log off.


If it's public access though, you had better do it properly!
 
OP
OP
Koolvin

Koolvin

Administrator
Staff member
Joined
Jun 1, 2002
Messages
9,729
Location
Staines
Car
W168, W169 & S202
I know how to use group policy, but the problem is any changes affects all the users including ADMIN.

I need it to affect all useres EXCEPT admin.
 

GrahamC230K

MB Enthusiast
Joined
Jul 14, 2002
Messages
9,755
Car
Audi A3 & S4 quattro
Your not applying it to the "Everyone" group are you?


I am hiding! :eek:
 
OP
OP
Koolvin

Koolvin

Administrator
Staff member
Joined
Jun 1, 2002
Messages
9,729
Location
Staines
Car
W168, W169 & S202
Originally posted by GrahamC230K
Your not applying it to the "Everyone" group are you?


I am hiding! :eek:

er there is no 'everyone' setting
 

GrahamC230K

MB Enthusiast
Joined
Jul 14, 2002
Messages
9,755
Car
Audi A3 & S4 quattro
Originally posted by Koolvin
er there is no 'everyone' setting
Sorry, NetWare always comes back to get me!

Users, then or whatever the common group is.
 

Big Ed

Active Member
Joined
Jul 16, 2002
Messages
283
Location
Bucks
Car
BMW X5 4.8is
Try either denying access to the GPO for Admin users (if they don't have permissions to run it then it shouldn't apply to admins), or if you are currently using the default domain GPO, try alternatively putting all the users that you want the GPO to apply to in a dedicated OU and put the admins in a different OU that is not downstream from the users OU. Create a GPO on the users OU that creates the restrictions you want.

Good luck!!
 

Big Ed

Active Member
Joined
Jul 16, 2002
Messages
283
Location
Bucks
Car
BMW X5 4.8is
I've just re-read your message and noticed you mentioned that this was for a workgroup - sorry, I've a bit of tunnel vision on Active Directory at the moment!!

to lock this down without using an AD domain just follow the (rather long) approach in MS Technet article Q293655 - this goes through the way to change admin accounts back to full functionality.

I can't see that using FAT32 would give you any problems from a policy viewpoint, however it would be easier for people to boot from a floppy and break things from a command prompt - any reason why you're not using NTFS?
 
OP
OP
Koolvin

Koolvin

Administrator
Staff member
Joined
Jun 1, 2002
Messages
9,729
Location
Staines
Car
W168, W169 & S202
there isnt any sensitive info on the hard drive, the pre-loader from factory was on fat32 and we couldnt be bothered to make a new image on NTFS.

we just need standard users to run IE thats all. the admin acount is there for future proof and running virus updates and windows updates.
 

Big Ed

Active Member
Joined
Jul 16, 2002
Messages
283
Location
Bucks
Car
BMW X5 4.8is
Fair play - I'm just a bit security fixated (designing systems for the MoD does that to you):bannana: :bannana:

Hope the MS approach to GPEdit works - if you get locked out from all your machines then blame Bill Gates, not me:D
 

Sp!ke

Administrator
Joined
Jun 2, 2002
Messages
11,968
Location
West London
Car
SL500 & The Fart Car
If you are just worried users are gonna screw things up, you could use Go-Back from Roxio.

You can set it so that everytime the machine is booted up it will automatically recover the machine back to how it was before the last user used it. It will delete *all* evidence that the user had ever even logged on let alone created or downloaded anything.

Its mega cheap, lets the users bugger around without being able to screw things up and has worked for us in a similar fashion (laptops at exhibitions) for ages now. Works in XP & W2k and can be picked up for less than a tenner a copy now :rolleyes:
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Top Bottom