OT: Win2k group policy

Page may contain affiliate links. Please see terms for details.

Koolvin

Administrator
Staff member
Joined
Jun 1, 2002
Messages
10,475
Location
Staines
Car
W168, W169 & S202
I am setting some machines up at work and I need to lock them down because they are going to be public access terminals (surfing the net).

The machines are Win2K Pro and they are part of a workgroup not a domain.

I messed around with the group policy editor but it affects all users including Admin user and I locked myself out already!

anyone come up with any solutions? The only snag is it has to be done with Win2k or free software as my work are stinge *****
 
Create a new group of users (not the same one as Administrator account) and then use the Policy Editor on that group.
 
Like I said earlier (those not on MSN Messenger only have yourselves to blame!!!) I am not really up on GPO's as I have always dodged them so far!


If you want a quick and easy solution, you could perhaps just lock down a single profile with TweakUI?

Or have a mandatory profile - peeps may be able to change stuff, but only until they log off.


If it's public access though, you had better do it properly!
 
I know how to use group policy, but the problem is any changes affects all the users including ADMIN.

I need it to affect all useres EXCEPT admin.
 
Your not applying it to the "Everyone" group are you?


I am hiding! :eek:
 
Originally posted by GrahamC230K
Your not applying it to the "Everyone" group are you?


I am hiding! :eek:


er there is no 'everyone' setting
 
Originally posted by Koolvin
er there is no 'everyone' setting

Sorry, NetWare always comes back to get me!

Users, then or whatever the common group is.
 
Try either denying access to the GPO for Admin users (if they don't have permissions to run it then it shouldn't apply to admins), or if you are currently using the default domain GPO, try alternatively putting all the users that you want the GPO to apply to in a dedicated OU and put the admins in a different OU that is not downstream from the users OU. Create a GPO on the users OU that creates the restrictions you want.

Good luck!!
 
Did I mention th emachines were FAT32?
 
I've just re-read your message and noticed you mentioned that this was for a workgroup - sorry, I've a bit of tunnel vision on Active Directory at the moment!!

to lock this down without using an AD domain just follow the (rather long) approach in MS Technet article Q293655 - this goes through the way to change admin accounts back to full functionality.

I can't see that using FAT32 would give you any problems from a policy viewpoint, however it would be easier for people to boot from a floppy and break things from a command prompt - any reason why you're not using NTFS?
 
there isnt any sensitive info on the hard drive, the pre-loader from factory was on fat32 and we couldnt be bothered to make a new image on NTFS.

we just need standard users to run IE thats all. the admin acount is there for future proof and running virus updates and windows updates.
 
Fair play - I'm just a bit security fixated (designing systems for the MoD does that to you):bannana: :bannana:

Hope the MS approach to GPEdit works - if you get locked out from all your machines then blame Bill Gates, not me:D
 
If you are just worried users are gonna screw things up, you could use Go-Back from Roxio.

You can set it so that everytime the machine is booted up it will automatically recover the machine back to how it was before the last user used it. It will delete *all* evidence that the user had ever even logged on let alone created or downloaded anything.

Its mega cheap, lets the users bugger around without being able to screw things up and has worked for us in a similar fashion (laptops at exhibitions) for ages now. Works in XP & W2k and can be picked up for less than a tenner a copy now :rolleyes:
 

Users who are viewing this thread

Back
Top Bottom