Locking down 2000 Pro for Public 1

[Dreddnews]

My company does property management, and wish to have a public pc available for people to use to check email with Iexplorer and to do Word and Excel documents. We want this machine to be locked down and not be able to make changes to the computer, nor save on the computer. Only be able to save on the floppy. I'm not quite sure on how to do this. Any help or link to how to do this would be great. Thanks,

-Damon

 

[CitizenBleys]

I asked a similar question, except that I wanted only one policy change; The answer's pretty much the same, though.

The problem with my answer is that after you set your policies, you have to manually exempt every user whom you do NOT want affected by the policy.

1. Implement the policies you want in gpedit.msc

2. Open up regedit

3. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

The subkeys of Policies contain all of your system policies, so if you delete the keys corresponding to the policies you want to be exempt from, you should be good to go.

Of course, as always when editing the registry, it's advisable to back the bugger up first.

 

[deftonesman]

Play around with MMC, start run, mmc, add the user and groups snap=in..have fun..this would be your best option because its a local policy and does not need a server..Only downfall is that its affects everyone who logs into, but using ntfs permissions, you can set it up so when you log in as administrator, it opens up.look it up on the web..all kinds of goodies about it.

 

[GrnEyedLdy]

I should have read all the posts to get a clearer picture of what you were trying to do.

The Read and Apply check boxes can be found on the Security tab of the GPO. This only applies to Domain GPO's.

After looking back at the posts, you are trying to apply Local Security and you won't have these options.

Sorry for the confusion.

Patty

 

[rakone]

Thanks for your feedback but nobody answered this question still.

Please help
(Running win 2000 in workgroup with no domain)

OK for anyone who has followed the steps to

"HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting"
at this link

http://support.microsoft.com/defaul...port/kb/articles/Q293/6/55.ASP&NoWebContent=1

Can some please explain to me what does step 10 mean?
What policy's did i disable does that mean for all the polciy's i don't use i have to set each one to disable then enable them all in step 10?

Also step 9 says to copy the changed registry but what if one of the policy's I enable is to block access to the hardrives? Does it mean I can't do this.

Thanks for anyone who can help.

 

[rakone]

Also "CitizenBleys" does this mean I can't restrict regedit since i have to access it?

Thanks

 

[rmsumida]

Has any one followed the steps on "HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting" and actually got it to work? I've followed the instructions step by step and the policies are still applied to all users including the local admin account. FGaumond mentions using admin.pol and user.pol but that did not work either. I don't think Windows 2k and after uses those file names for policies.

I guess now I will be exploring CitizenBleys advice and edit the registry.

Ryan

 

[FGaumond]

Well, I explain my way very fast. What I've did is I run gpedit.msc and I applied all the policies for the users. I log as user and as admin. So now the policies are applied to the user and the admin, I export de file c:\winnt\system32\grouppolicy\user\registry.pol as user.pol on a floppy.

I run gpedit again and set everything that I set to applied to disable. and export the new registry.pol on the same directory to admin.pol on a floppy.

After that when I want to configure an another computer I just copy and rename user.pol on the directory c:\winnt\ ... \user as registry.pol and log on as user. The users policies are now applied. log on back as admin and copy the admin.pol in that directory and run gpedit and edit at least one policy for make them applied. and copy back the user.pol as c:\winnt\system32\grouppolicy\user\registry.pol

and if you long on as user the policies are applied and if you log on as admin the policy define in admin.pol are applied.

If someone dosen't understand anymore feel free to ask me.

 

[rakone]

FGaumond

I have a question in the link to

"HOW TO: Apply Local Policies to all Users Except Administrators on Windows 2000 in a Workgroup Setting"

Does step 10 mean to disable all the policies that I had enabled? Because on the website it says to enable everything that was disabled. So I was confused. Also what if I enable the policies that will not let the user access the hard drive and command prompt does this mean I can’t do this?


Thanks

 

[FGaumond]

Well it's the same thing but said in opposite way. If in the gpedit you enable that policy then you need to disable it if you that policy not to apply to the admin. By doing this your are disabling the policies...

And if you enable restrict drive access, you'll have problem to acces your file, but I check if you can bypass it by using the exact path in the command prompt. But if you disable it too, I don't know how you can do this procedure, what you can do is only hide the drive c:\ for exemple and remove every link to windows explorer. If you only hide the drive you can restrict the command prompt because you can still acces to the drives by using full path in the address bar.

For lunching gpedit you just have to open mmc.exe and add the group policy snap-in.

Hope this help you

 

[rmsumida]

rakone

Another way you can access c: or any other logical drive when you hide it through local policies is by maping a drive letter to it. Right click my computer and select "Map Network Drive..." Select a drive letter and type in the network path in the folder box. example \\COMPUTERNAME\C$

Another way around using the command line after you disable it is by setting it to allow command prompt script processing. You can make simple batch files to run most utils and programs. Add a "pause" at the end of the script to keep the cmd prompt window on the screen. Setting it up like this depends on how secure you want to make the computer.

After trying different methods (thanks guys for all the good info) I found that editing the registry after using gpedit worked best for me. Follow CitizenBleys instructions in the post above.
*If you are going to set gpedit to restrict registry editing tools then make sure you open regedit or regedt32 before you restrict it in the local policies.

**If you apply any changes in gpedit after deleting keys in the registry it will reread the registry.pol file and import all the settings into the registry again.

Hope this helps. =]

Ryan

 

[temporaryhandle]

I used the Microsoft instructions, and they usually worked for me. If I set something to "enable" (i.e. restrict that thing), then after applying manually to each user, I had to come back as admin and set to "disable." If I set to "not defined" then I found the policy would be set back for the other users.

I am baffled at why it behaves inconsistently for me. And, as I mentioned in my original post, yes, one of the drawbacks is you have to take on, temporarily, any policy you wish to set. This means you cannot set a policy that is so restrictive it would keep you from completing the process. See tips some have posted here about tricks to being able to complete the process (shortcuts and the like).

And note that the gpedit solution posted above is the same thing as the approach on the Microsoft page.

 

[rmsumida]

Temporaryhandle

Thanks for defining the difference between "enable", "disable", and "not defined". I didn't realize that it behaved like that and have been changing the settings back to "not defined" every time. Now that I've been using only enable/disable it has been working just fine. Thanks for the tip.

 

[rakone]

Thanks to everyone for your help. I'm going to check out Winguide Tweak manager. The new version lets you set policy’s per user it seems really easy. As anybody used it yet? If so are there any drawbacks from it?

Thanks again to everyone the information was much appreciated.