Limiting Functionality/Accessability on W2k Pro Workstation 1

[ShawnF]

Hello,

I will be installing a W2k professional machine on a W2k server environment (one exchange 2000 server, one SQL 2000 server). This computer will be a "public" PC in that it will not belong to any one person, rather a group of people--our manufacturing production floor staff. This PC will only be used for entering packaging data into our SQL database. This PC will NOT and should not have internet access. It should not have email, and it will not have any other software installed for any other purpose. And basically, this computer will run 24/7 at the same screen with different people coming and going entering in data. The only time someone will need to log on is if the computer needs a reboot (or I need to do some work on it). I will be removing the modem, CDROM, and floppy drive so there is no monkey business going on with the PC.

What I want to do next is remove unneeded icons from the desktop, remove items from the start menu, etc.... The production staff has absolutely no need to even create or save any kind of file, access a removable drive media, or anything else. Though there aren't any people in particular that I need to worry about hacking the computer (and I understand that anyone with enough skill can do it despite my best efforts), but I don't want any chance of people fidgiting with things or horsing around on it (particularly because I don't want a call at 3am saying the production computer is down). I also don't want these people logging on to other machines with the general production log on they will get and access unneeded resources that way, although if I recall correctly our W2k server has an option in Active Directory to only allow logon to a specific computer.

How do I go about removing desktop features, start menu items, etc.? Not sure if I said too much or too little, but hopefully someone can help me out. I know these things are possible, just not sure how to go about doing it. Sorry for the newbie question, but I'm just starting out....

 

[FilthPig]

You could create a very restrictive group policy. In Active Directory Users and Computers, right-click the Organizational Unit that houses the user you create for this task and select properties. Go to the Group Policy tab and you can create/modify group policies there, and set up permissions so it only applies to that users. Or, you can create a new OU and put the new user in it so you don't have to play with permissions on the Group Policy as much. If you create a new GPO (Group Policy Object) and edit it, under User Configuration and Administrative templates you will probably find most of what you're looking for. Marc Creviere

 

[ShawnF]

Thanks for the response! It took me a little bit to figure out this stuff (uhhhh, like what was an organizational unit...). One question--Is it just me or is all this enabling of the disabling things kind of illogical? I have to "enable" something in order to disable what ever feature it says it will disable? Rather confusing.

One more question--In the group Policy, under Start Menu and Task Bar is the option to "Disable and remove the shutdown command." This is probably a feature I will want, since this W2k professional PC will be running 24/7 and will never require a reboot or multiple users to log on. Only one user will ever log on, and it will be a general logon that stays on all the time. If shutdown is disabled, how does one shut down the machine?

 

[FilthPig]

I don't think it's too illogical. Think of it as on/off/default. You have to turn on the blocking of a function or for that block to work.

Not sure on the Disable shutdown option, never used that particular function. If you have the Resource Kit, there's a shutdown.exe tool that I'm sure would work, otherwise try hitting CTRL+ALT+DEL and hitting the shutdown there. Maybe test it on another machine in it's own OU first so you're not disrupting this other machine.
Marc Creviere

 

[ShawnF]

I enabled the disable shutdown function on startmenu option on this PC (it has not been put into use yet), and it definately removes any way of shutting down the machine via the start menu. I also enabled the disable the shutdown option from control, alt, del. I think I'm going to leave the option of shutdown on the startmenu but keep it disabled on control, alt, del. I don't want users rebooting the machine all the time (perhaps trying to log in as someone else). On the plus side, I did figure out how to remove all the icons from the desktop for this user, remove most all the functionality I needed to including the Control Panel, display properties, etc. Basically all they will be able to do is click on a start menu with only one option listed, the program they need to use. No run command, no search feature, no windows update, etc. I also enabled auditing of several functions, so even if they try any funny business, it will be logged. The only thing I didn't like was I also had to remove some things from Documents and Settings that the server's configuration for this user didn't take care of. It wasn't too hard to do once I figured out where this stuff was hiding that I needed to remove. I also removed the CDROM and floppy drive and disabled USB ports and locked the BIOS. I'm sure they can still bypass all the limitations I've imposed, but they'll have a hard time doing so. They won't even be able to log into any other PC since I've only allowed their profile to log on to this machine, and no one else can log on to this machine but them (so they can't try figuring out other employee logon info and gain access to things they shouldn't have).

Thanks for your help! This got me where I wanted!