Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy - Complete Restriction needed

Status
Not open for further replies.
NetCipient

NetCipient

Technical User
Jan 18, 2003
15
US
I want to seclude a group of remote Citrix users from accessing any part of the network other than what I will allow - Outlook, Word, Excel and two mapped folders. These users are merely remote independent contractors and not employees.

I'm accomplishing this by putting them into their own Organization Unit in Active Directory and setting their Group Policy.

I've been able to really lock down the desktop so that nothing shows up in Programs, no run, no help, and the desired icons are properly showing. So far so good since the rest of the firm is in their own OU and not affected.

However, I notice that while in Word, Excel, etc. that I can still cruise the system folders but cannot do so in My Computer or Windows Explorer (says permission denied). Does this sound right? Did I miss a setting somewhere?. It makes me uneasy that there is a "back door" into the system files via File Save/Open File in Word, Excel, etc.

If I can get over this last hurdle, then I can let those users start working.

Thanks! Bill
NetCipient.com
 
Sort by date Sort by votes
Hi: I have a question for you! How does one "lock down the desktop so that nothing shows up in Programs, no run, no help, and the desired icons are properly showing" if they are on a Workgroup and not a Domain? I am hesitant to switch to a Domain, as I have a home network behind a router and don't want the attention of my ISP, which I have heard will attract them. (Also I have tried dcpromo and couldn't get it to work, no matter what name I used. That was months back, and I can't remember exactly what occurred.) I would like to do what you describe above on my web server, so that if it is hacked, they are not as likely to "do things", although they might from the command prompt. I'd like to disable that as well. If I reboot I can always log in through another account. I create several admins and users. Thanks for your help, if you can help. Good luck with your search.
I don't know as much as you, but it appears your Word, etc., programs are accessing Win Explorer functions. Maybe the permissions need to "mesh" somehow, but I am still pretty new to this stuff. Somehow you need to set parameters for saving only to a specific location? I would be interested in the answer to your problem as well. I'd help if I could. I'd like to be able to set up user accounts that can't access administrative tools (they can view the Users and get all the logon names). whythisagainwhythisagainwhythisagain
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
205
mangentle
mangentle
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
149
rrmcguire
rrmcguire
phil3000
  • Locked
  • Question
Screensaver Via Group Policy
Replies
1
Views
110
markdmac
markdmac
cabraun
  • Locked
  • Question
Group Policy Question (Set System Variable)
Replies
2
Views
85
markdmac
markdmac
usrinu
  • Locked
  • Question
applied wallpaper group policy
Replies
1
Views
78
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top