Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setting up windows 2003 group policy to control user desktops 1

Status
Not open for further replies.
hawes29

hawes29

Technical User
Mar 15, 2006
2
GB
I am new to windows 2003 server and was wondering if any-body could help me to set up group policy. Do I have to set this up from the server or the workstation? I would like to secure my desktop so that nothing can be added or if it is it will be deleted on a reboot. Any help would be greatly appreciated.

Thanks in advance
Hawes29
 
Sort by date Sort by votes
You can set up, as you say, from the server or the desktop. I would steer you in the direction of using Domain Policies rather than local policies. The idea is to centrally manage your desktop environments. How to do this is a subject that is to large for this post, so I would direct you to microsoft's web-site as you will find the info needed.
 
Upvote 0 Downvote
Well, you could just do mandatory profiles...

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
 
Upvote 0 Downvote
Thanks for the replies.

If I did a mandatory profile would I be able to enforce this on a selection of computers, instead of using the user profiles?

Thanks again
 
Upvote 0 Downvote
You create what are called Organisational Units...these are logical containers. These subdivide your network into a logical structure.... You create a GPO (Group Policy Object), this is the thing that actually contains the specific settings you have defined. You apply this to the OU (Organisational Unit). Everyone in that organisational unit will obey these commands (just take that as it is for now) - compare it to you, as the IT Admin, write down on a peice of paper your rules for using the computers....you dont want to go around and give a copy to everperson you want to apply these rules. You would go to the department manager, and give them a copy (this is the OU), the OU, or manager, then distributes the rules to the subordniates (clients, or subOUs).

To create an OU, in Active Direvctory User and Computers, click new, create OU. Then move machines (drag and drop / moveto) into your OU. A well structures network will avoid using the default Computers and Users containers. Also create equivilent OUs for users, again drag fromt he users container, all the relevant users....so you should have a OU named Marketting, then SubOUs named MarkettingComputers and another one named MarkettingUsers. This is because Group Policies are devided into policies that can be applied to machines (so they are irrelevant to the fact of which users is logging on), and User Policies (that will stick with that user if they move around the company (again, take that at face value for the minute).

Machine policies generally regard ahrdware protocol configuration and security settings (and refer to HKEY_Local_Machine\Software\Policies (..\Microsoft\Policies). User Policies take care of the desktop appearance. This is where you need to look.

To create the GPO, you need to download Microsoft Group Policy Management Console from Microsoft GPMC

Once you have read this and installed it. Read this Administoring Windows with GPMC.doc. This steps you through creating the GPO (page 11)

Once you have your GPO created (blank one) right click on it, and click edit. Open the Users Setting tree > Administrative Templates > Desktop > Active Desktop. Int he right hand pane you wil see your possible policy settings. In general, user are permitted to do most things, so pay careful attention to the wording. The policy name DISABLE ACTIVE DESKTOP, means that to stop people being able to switch ActiveDesktop on, you need to select the ENABLE option. There are many mistakes made because people new to GPOs think that the name is just the object (Active Desktop) and they want to DISABLE IT as the setting.
There are probably 3 of these settings you need to ENABLE
DISABLE ACTIVE DESKTOP
DISABLE ADDING NEW ITEMS
DISABLE EDITING ITEMS
I think that is the names (not 100% sure), but you get the picture.

Click apply and close the GPOE (Group Policy Object Editor), you are now back on the GPMC (Group Policy Management Console), drag your new GPO to the OU you created...you will get a message asking if you wish to link the GPO to the OU...click yes.

Read back on the doc i pointed you to, and look at Group Policy Modelling, again, contact me if you have issues with it. But its a simple config so shouldn't have any issues.

If you have any more problems, post back, or contact me (my email can be found in my profile)

Hope this Helps - Back to work now

Neil J Cotton
njc Information Systems
Systems Consultant
HND, BSc HONS, CCNA, BCS, IETF, DMTF
 
Upvote 0 Downvote
I would like to secure my desktop so that nothing can be added or if it is it will be deleted on a reboot.
Click to expand...

Your first step for this is to simply lock down the PC. Remove all users from the local Admin group and from the Power Users Group. Then your users will not be able to install software.

Removal of software by GPO is only possible if the software was DEPLOYED using an AD GPO.

You can use Group Policies to limit what features of the GUI or what executables a user is permitted to use. An EXE file manually copied to the PC and not "installed" will not be detected. As an example, you can lock a user down so they can't install software. Give them a floppy with a resource kit utility on it. This is a stand alone EXE that requires no DLL files to be installed etc. The user can easily run this.

As was mentioned above, the best solution to ensure total lockdown is a mandatory profile. You creat a profile, configure it as you see fit then rename the POL file a MAN file and specify this file in the users AD properties. Any changes to the profile will be lost at logoff. You will STILL want to combine this with proper NTFS security to ensure that nothing else get's saved to the PC.

There are hundreds of different GPO ptions you can choose from to help lock down what the user can and can not do. Just remember to balance these with what the use MUST be able to do.

As an example, I do not recommend blocking users from Control Panel. Instead specify the applets they are ALLOWED to use. Give them access to Access.cpl, Main.cpl and mailcfg32.cpl.

Why?

If you want to avoid a law suit is why. Access.cpl is the accessability options and main gives access to the mouse settings so left handers can switch their buttons if they want. Failure to give access to these gives the would be lawsuit something to feed off of.

I recommend the mailcfg so you can adjust Outlook profile settings without having to undo a policy.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
859
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
1K
DrB0b
DrB0b
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
1K
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
697
antonio_dsanchez
antonio_dsanchez
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top