Locking down SOME computers in domain

[rogerpatel]

HI all,

We have a simple Single Server which is a windows 2003 DC and around 10 Pc's that log onto the server and use it for Data File access only.

I need to find out how i can lock down 6 users/computers from accessing certain things, for example all the pc's can who logon to the domain can access My Network Places, Internet, map drives, etc etc.

The is policy must only apply for 6 computers/usernames.

Can anyone please point me in the right direction ?

Thanks

Roger

 

[zeveck]

What sorts of things do you want to deny them access to? Files? Or something more complicated than that.

Couldn't you just create a "Restricted" group and put those 6 users in it?

Even better would be to lock down the files in question for the "Everyone" group and then make a "Privileged" group that had access to them.

(question is whether to fail secure or open when, say, a new user is added and accidently not put in the appropriate group)

 

[rogerpatel]

Hi Zeveck,

I would like the users NOT to be able to do the following things :

Not be able to browse "my network places"
Remove the Run Prompt
Remove My Computer

Someone has told me its very simple, something to do with creating a seperate GPO or something.

The server is already locked down with regards to file access, i'm more talking about the clients pc's used to log onto the domain.

Cheers

 

[zeveck]

What is Symantec Control Center? Is that the actual product name? I cannot find it on Symantec's site.

 

[rogerpatel]

Zeveck,

Ha, this is funny.

Why are you asking me what Symantec Control center is, i never asked you about it

I think their's something wrong here ?

If it helps i think you are talking about "Symantec System Centre Console"

Cheers

 

[zeveck]

Yeah...I responded in wrong thread....oops...sorry. ^_^

 

[rogerpatel]

no worries mate

looking forward to hearing from you

 

[zeveck]

Good article with the discussion threads stemming from it at least somewhat discussing your question:

http://techrepublic.com.com/5100-1035_11-1059493.html

 

[rogerpatel]

Good read mate,

its exactly what i need to do however i only want to lock down 6 computers or maybe even a Group or so.

 

[zeveck]

A Group Policy enforced through Active Directory can apply to a site, domain, or OU. So, you can create a new OU named "Restricted" and then add the users/computers to that OU. You could probably also move the existing users into it, but that depends on what else you're relying on the OU structure to do.

Some GPO settings affect the entire computer while others are user-specific.

In general, GPO are applied in the following order:

1. Local Group Policy
2. Site Group Policy
3. Domain Group Policy
4. OU Group Policy

You edit the GPO through MMC, such as:

1. Start MMC.
2. Select File -> Add/Remove Snapin...
3. click "Add"
4. Select "Group Policy Object Editor"
5. Click "Add"
6. Click "Browse"
7. Select the OU and click OK
8. Right-click in the window and select "New"
9. Click OK, Finish, Close, OK
10. Edit the GPO

These settings should just apply to the selected OU.

 

[rogerpatel]

Zececk,

worked a treat.

Here's what i done:

Create a new OU called "Locked Down Users"
Right cliked it then GPO and NEW.
Edited it with my prefrences (hide network places)
moved a few users to it
run gpupdate /force
rebooted server

From Pc
logged in as once of the users i moved into the and the desktop icon was gone, loged out and back in as the Admin and all fine.

Thanks for your quick and great response.

All the best

Roger