Locking down XP Pro workstation

[Ajb2528]

I want to prevent a user (that has admin rights) from changing settings on their XP workstation. They need admin rights for legacy aplications. I want to prevent them from editing certain registry keys, stop them from uninstalling programs and prevent them from stopping certain services.

Has anyone got any ideas on how to accomplish this reasonably easily??

PS I have obtained a copy of Regperm which looks like it will prevent the user from accessing the registry keys but I dont think that it will help me with the other areas.

Regards,

Alan

 

[sbergne]

Not sure but you might try putting the user in a more restrictive group and change the security on the individual legacy apps.

Steve

 

[sbergne]

Power Users can run legacy apps. You may be able to use policies applied to the user to impose further restrictions.

Steve

 

[pechenegs]

you can't stop administrators from making changes, you'll need to change their status to power users or to something else!

 

[pechenegs]

what you'd need to do is create a mandatory profile

 

[techwtr]

I have had the same issues in my shop. Windows XP doesn't have a Power User group as NT did. Power user group kept people from being able to install anything they wanted.

Due to several legacy systems or programs I have on the network, I have to give people admin rights. I run Novell in my office. How I shut people out of doing things is with the user policy. The true admin policy in my container is for me only and this gives me full control to the pc. All others I make a policy that I may call Power User XP group. The users associated to that group get admin rights from this policy, but in that policy I drill down what I don't want them to do. The Power user group policy I have prevents users from having the ability to run regedit. I also locked down in the policy so people can't go in and change their resolution on their computer ( so many people mess with that and screw up the settings and they can't see anything after a reboot). When you go into control panel, they don't see the tab that includes resolution. There are other things policies will prevent users from doing. The choices are endless.

Still my big thing is this doesn't keep people from installing software on their machines. You can only drill down so tightly with policies. If too tight, the legacy programs you want them to use won't work.

My company has a written policy about installing software on corporate equipment. My rule of thumb with the people I support is if you install a non-corporate software on your computer that messes it up, that pc will be reimaged so it is back to the corporate standards. If I can't save everything they had on the machine prior to me reimageing the workstation, this is a problem they made themselves because the policy has been addressed with them prior to installing the software.

 

[bcastner]

XP has a power users group. It is slightly more restrictive than the Win2k version. You can download a policy file that matches the Win2k settings if yuu would like, the newest versions are here:

http://www.microsoft.com/downloads/...45-8AA6-4775-9208-C681A7043292&displaylang=en

But the standard policy settings for Power User are available without a download. Start, Run, lusrmgr.msc

Highlight a user and double click. Click on the 'Membor of' tab, Add, Advanced, Find now. Select Power Users.

 

[Netherbeast]

You could also use MMC to totally lock down the machine. Be carefull though since you could end up restricting the administrator account as well...

Did I mention to be carefull when using MMC?

Hope this helps.