I work at a company where we've got two laptop who are always out in the field. These individuals leave the office for months at a time and have a tendency to make changes to their laptops without knowing how to correct any mistakes that might arise.
We're currently in the process of building new laptops for them and we've decided to use GPO's to lock the machines down.
Because these individuals are required to install software on their machines while they're in the field, we've added them to the local administrators group. The only things that we'd like to see locked down are their access to the network settings and ability to view certain web sites.
I've created a totally seperate OU for the two individuals and I've applied a GPO to it with read and apply permissions only for them. I've restricted the network settings and brower settings and set the GPO to run on the account and not the computer itself.
I'm finding the the browser settings are being applied and that the Network Neighborhood icon has been removed from the desktop, but they're still able to view the network properties by right clicking on the network status icon in the system tray (which they'll need to have for troubleshooting purposes). If I remove one of them from the local admin group on the machine, I'm finding that they're restricted as intended and that the nature of their membership in the local admin group is what's causing the GPO to not be applied. Does anyone have any idea how I can rectify this?
We're currently in the process of building new laptops for them and we've decided to use GPO's to lock the machines down.
Because these individuals are required to install software on their machines while they're in the field, we've added them to the local administrators group. The only things that we'd like to see locked down are their access to the network settings and ability to view certain web sites.
I've created a totally seperate OU for the two individuals and I've applied a GPO to it with read and apply permissions only for them. I've restricted the network settings and brower settings and set the GPO to run on the account and not the computer itself.
I'm finding the the browser settings are being applied and that the Network Neighborhood icon has been removed from the desktop, but they're still able to view the network properties by right clicking on the network status icon in the system tray (which they'll need to have for troubleshooting purposes). If I remove one of them from the local admin group on the machine, I'm finding that they're restricted as intended and that the nature of their membership in the local admin group is what's causing the GPO to not be applied. Does anyone have any idea how I can rectify this?