Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Restrict a user/PC 1
- Thread starter ksumner
- Start date
wdoellefeld
Technical User
Add his account to the "guest" group on the local PC and watch him wallow in the sufferage!
More information required. In the main the GPO .ADM files for XP can be added to your AD server, and should suffice. There are also a ton of other restrictions that can be "pushed" through .reg files on logon, or through Group Policy.
. Update to the XP .ADM files on the DC. It is a much richer setting than Win2k:
. Use XP clients to modify GPOs for XP clients on the DC
. Use Group Policy or the logon scripting to push unique registry changes for XP clients:
. Update to the XP .ADM files on the DC. It is a much richer setting than Win2k:
. Use XP clients to modify GPOs for XP clients on the DC
. Use Group Policy or the logon scripting to push unique registry changes for XP clients:
- Thread starter
- #4
-
1
- #6
Restricting access to certain functions is best administered through GPO. The reason I say best is that in an environment where multiple individuals may be using the same physical PC you may wish to have different restrictions based on the user, not the PC.
While I am not going to say the following is the best or only way to achieve your desired results it has always worked for me.
Create your group policies. I like to do this by first creating an OU, something like 'CompanyGpo'. Access the properties of the OU and click on tab Group Policy. From there you may add, edit, or delete policies. When you create a policy most of the policy settings will be configured under 'User Configuration'. From there you will have a multitude of items you can control.
For example, say you wanted to disable 'Add/remove programs'. Navigate to User Configuration/Administrative Templates/Control Panel/Add/Remove Programs and ENABLE 'Disable Add/Remove Programs'.
Be careful with the GPO settings, sometimes Microsoft makes it ENABLE to disable or ENABLE to enable, etc.
Once the GPO(s) has been created you may create OU's for different groups of users, add the GPO(s) to the OU, move the user to the OU and you should be ready to go.
Of course there is a LOT more to group polices and I strongly suggest a very sound understanding and a plan of action before implementation any group policy procedures. Will save you a lot of headaches later.
Also, I like to layer my GPO's rather than using a monolithic approach.
While I am not going to say the following is the best or only way to achieve your desired results it has always worked for me.
Create your group policies. I like to do this by first creating an OU, something like 'CompanyGpo'. Access the properties of the OU and click on tab Group Policy. From there you may add, edit, or delete policies. When you create a policy most of the policy settings will be configured under 'User Configuration'. From there you will have a multitude of items you can control.
For example, say you wanted to disable 'Add/remove programs'. Navigate to User Configuration/Administrative Templates/Control Panel/Add/Remove Programs and ENABLE 'Disable Add/Remove Programs'.
Be careful with the GPO settings, sometimes Microsoft makes it ENABLE to disable or ENABLE to enable, etc.
Once the GPO(s) has been created you may create OU's for different groups of users, add the GPO(s) to the OU, move the user to the OU and you should be ready to go.
Of course there is a LOT more to group polices and I strongly suggest a very sound understanding and a plan of action before implementation any group policy procedures. Will save you a lot of headaches later.
Also, I like to layer my GPO's rather than using a monolithic approach.
wantstolearncfm
IS-IT--Management
Following up on basspro's comments NEVER disable "use interactive logon" like i managed to.... it just wont log on!
why they give you these options i do not know, like disable all services starting up in msconfig! try stopping RPC call noting works!
why they give you these options i do not know, like disable all services starting up in msconfig! try stopping RPC call noting works!
- Status
Similar threads
- Locked
- Question