How to configure desktops for users? 1

[whythis]

I want to be able to configure a User account(s) with desktops set so the users cannot access the Administrative Tools, especially the Computer Management Console (can't see Users and Groups). I know this can be done, as I have worked at a company who had many PCs on the LAN and configured them to keep them out of these places and other programs (like Windows Explorer; another place I'd like to keep them out of). I hope someone out there can tell me how to do this explicitly. Please, no answers "alluding" to displaying that you have "knowlege" which don't explain HOW to do it. I doubt seriously those people actually have "knowledge" and if they do, alluding to it without explaining the process is useless. Don't waste my time or yours. If any of you can tell me HOW to do this, I would be forever grateful. Thanks. whythisagainwhythisagainwhythisagain

 

[Davetoo]

Well, the process is simple. You use Group Policys for an OU, put the users that you want that GPO to apply to in the OU, and you're all done.

You access the GPO's using Active Directory Users and Computers, right click on the OU and select Properties, then navigate to the Group Policy tab. Create the policy based upon information from

http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp.

Fully explains what each option does for your policy.

Now, I hope that you will read what I've written, take the steps necessary to learn how to do this, and apply that knowledge in your organization. Don't allude to doing this for your company, as that might be taken as an inability to having the actual ability to perform your job function. Instead, you need to fully demonstrate that you grasp the ability to learn and apply that knowledge.

(tongue firmly planted in cheek).

Dave

 

[whythis]

Thanks for the really good answer. Only one problem. I am on a Workgroup, not a domain. I guess I should have mentioned that. Thanks anyway, and I will copy this down and try it if I can ever get dcpromo to actually set up a domain. I tried once or twice in the past and failed. Any suggestions on this topic? Also, as this is a home network behind a router, is a domain a good idea? I was told that switching to a domain would get the attention of your ISP real fast. Have a good one, and thanks!
By the way, I never allude to knowing how to apply anything I will not describe/share with someone else. I used to work help desk for HP, and we always made certain any answers we gave clients were understood and applicable. I don't pretend to know everything (actually, not too well versed in several areas, which is why I ask for help), but I am pretty good at some of it, and if I answer anyone, they will get directions from me on the process. They NEED that. If I were to tell them to "use the book", there would be no reason to reply, except maybe to act like a jerk that's some kind of demigod (so I know something they don't - they probably know things I don't, too), put them down and tout myself. Not interested in that stuff. Only jerks act like that. Have a good day. whythisagainwhythisagainwhythisagain

 

[Davetoo]

Hmm...have to admit, I work in an enterprise setup (domain/child domains), but I believe you could still achieve similar results using local policy restrictions. I'd have to do some looking into it in the morning at work. Someone might be able to answer it before then however.

Keep in mind, sometimes the best answer is to "look in the book". If it's fully explained somewhere else, why retype it all here? Myself...I just love hyperlinks!

Dave

 

[whythis]

I like the links, too. I have LOTS of books (many written by good ole' Micros_ _t), and they present you with a lot of trivia and solutions that often don't work. I ran into one poor soul on this forum who was obviously a victim of the same Micros_ _ t instructions on setting up a new website in IIS that I had been a few months back. They're like "other people's recipes". They change them, leave something out, etc. Have a good one.
whythisagainwhythisagainwhythisagainwhythisagainwhythisagain whythisagainwhythisagainwhythisagain

 

[SelbyGlenn]

Ok this is how you do it without a domain.

I needed to crack this problem for my laptop users who are not connected to the domain when roaming and logged in locally. The problem was how to lock down the laptop for the users but not the administrator accounts.

First of all create a temporary administrator account.

Log in with this account

Open an mmc and add the group policy snap-in - Local

Apply the changes that you wish to lock down the pc. You will notice some of these changes take effect immediately to the user you are currently logged in as. Once you are satisfied you then need to edit the NTFS permissions on the following directories:

C:\winnt\system32\GroupPolicy\Adm
C:\winnt\system32\GroupPolicy\Machine
C:\winnt\system32\GroupPolicy\User

Set the permissions on these folders for administrators to DENY ACCESS FULL CONTROL.

Log off and log back on with your normal administrator account. You will now have full access as the administrator.

You require the temporary admin account to set up the group policies because as they take effect I've found you can't get full access back even after applying NTFS deny access to the Group Policy.


Hope this help, Glenn
BEng A+ MCSE CCA

 

[whythis]

Glenn: That is one of the best answers to a problem I've ever gotten. Kudos! Will work on it this weekend. whythisagainwhythisagainwhythisagain