Active Directory, Users, Policies, HELP!!!!

[Flash101]

Hello Everybody!
Sorry I have to post on this forum so much in the past few days but as a lot of you know I'm testing out a new server system for my work. Here's a few questions about active directory. 1: How do I make it so specific user groups can't see or dig through their C:/ drive, like hiding it? Some people have accidentally messed up the system, so we figure it would be easier to just restrict them access from the C:/ drive period. And, also, how is it possible so that you hide the run, control panel, network connections... stuff from the start menu? Where I used to work a while ago, they did this with a Win2k server, so it must be possible with Win2k3. Thanks in advance for your help.

"Apache Server is Apache server on Linux. Apache server is 'A Patchy' Server on Windows."

Flash101

http://www.flash101.net

- Flash Resource Site

 

[Wishdiak]

Flash101,

What you'll want to do is to create an OU (Organizational Unit) in Active Directory Users and Computers on the domain controller and put the user accounts (or groups) in it, and then create a Group Policy for that OU that restricts the actions above.

As long as the users are logged into the domain (and their accounts are in the correct OU), the Group Policy will be in effect.

Wishdiak

http://www.wishdiak.com

 

[Flash101]

Okay, im a newbie here!

Do I delegate control over newly created OU? I tried that, I didn't see any section to edit the computer/system access rights. Please explain to me a little more. Thank you.

"Apache Server is Apache server on Linux. Apache server is 'A Patchy' Server on Windows."

Flash101

http://www.flash101.net

- Flash Resource Site

 

[Wishdiak]

Flash101,

Open Active Directory Users and Computers on the Domain Controller. Create an OU in the domain structure by right-clicking, clicking New and then Organizational Unit (OU). Give the new OU a descriptive name.

Right-click the OU name, and click Properties. If you're creating an new GPO to apply to the OU, click New. Type a descriptive name for the GPO, and click Edit.

The Group Policy Editor will open in a separate window. Here, you'll have the opportunity to change any settings that you want to apply to objects in the OU. GPO changes are applied on the fly, so you only need to save the GPO if you want to use the same GPO to apply to other OU's. Close the Group Policy Editor when you're done.

Populate the OU with user or computer objects (or both) by moving user or computer accounts into the OU.

Changes to the GPO will automatically be applied to the members of the OU after 90 minutes. If you need to test out the changes to the GPO, and don't want to wait, run gpupdate on a computer that is a member of the OU.

Wishdiak

http://www.wishdiak.com

 

[Flash101]

Thanks so much WishDiak! The Windows Server System is really amazing when you get into it. I was able to block everything I needed (C:/, control panel...), and it is super fast! I thought up a good idea when I was putting accounts in. In the policy, everytime you logon it automatically runs "gpupdate" to keep the computer always current. Thanks for your help!

"Apache Server is Apache server on Linux. Apache server is 'A Patchy' Server on Windows."

Flash101

http://www.flash101.net

- Flash Resource Site

 

[Wishdiak]

Flash101,

I'm glad to hear it worked.

FYI: client machines will automatically run gpupdate every 90 minutes to see if there is a change in the GPO, every 16 hours whether there was or not just to refresh the local GPO, and every time the clients machines are logged on.

Domain administrator logins are generally exempt from GPO's applied at the OU level.

Wishdiak

http://www.wishdiak.com