Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

User Desktop Control, please help 3

Status
Not open for further replies.
tgrattidge

tgrattidge

IS-IT--Management
Dec 14, 2002
6
GB
Have just installed a Windows 2000 Server and would like to restrict access to control panel and other system settings when a user logs on to the domain.
I have Windows 98 Windows 2000 P and Windows XP P workstations but have only two users in Active directory that I need to restrict Desktop access.

Help Please....
Thanks in advance
 
Sort by date Sort by votes
Best way I see to do this is to create an OU and add a policy that restricts the users in that OU from all those things you said and then add the two users to that OU.

I don't think it will work for the Win98 machines.. somebody can correct me if I'm wrong about that.
 
Upvote 0 Downvote
Tgrattidge,

Put those 2 users in an Organizational Unit and then apply a Group Policy Object (GPO) to it with the restrictions that you require.

"would like to restrict access to control panel..."

User Configuration|Administrative Templates|Control Panel|Disable Control Panel

However, Group Policies will not be applied to the 98 machines...

Let us know if you need more help on this,

Patty [ponytails2]

 
Upvote 0 Downvote
Reddlefty,

We must have posted at exactly the same time...hey at least our advice was consistent.


Patty
 
Upvote 0 Downvote
Thanks very much to you both, and for such a quick response.
Would you just confirm for me that an OU is a group? Then add users to the group then add a policy to the group?

is there anything I can use for the W98 clients?

Thanks once again,

Tim
 
Upvote 0 Downvote
Tgrattidge,

No, an OU is an Organizational Unit not a group.

Start|Programs|Administrative Tools|Active Directory Users and Computers.

Highlight your 'domain name', right-click and choose New, then choose Organizational Unit. Name it whatever you like and then while still in AD/Users and Computers you should Move the two users in question into that OU.

Next, right-click the OU that you just created and choose Properties, then click the Group Policy tab. Click New and name your new Group Policy Object (GPO) whatever you like. Then highlight the new GPO and click Edit to make the necessary changes.

Hope this helps,

Patty [ponytails2]
 
Upvote 0 Downvote
Thanks very much, will follow instructions given to the letter and test on some false account and OU's.

Is it ok to get back to you if I uncover some hidden problems?

Thanks again, never used a tips group like this that gives such good advise and quick replies,

Cheers for now,
Tim
 
Upvote 0 Downvote
I would suggest a slightly more complicated approach to address both w2k and win98 machines.

I would create a group and assign the two users to this group. I would then create the appropriate GPO in the computers OU. By default, the GPO will have authenticated users assigned to apply the GPO. I would remove this and assign the specified group to apply. You must enable loopback processing under the machine policy for this to apply to user accounts.

You could then use the older poledit to create a policy file to apply to Win98 boxes. Again, you would use the group you specified to define the policy. Just a thought...

Mike
 
Upvote 0 Downvote
Thanks to all who helped me out, gpo is running very well and can lock down both XP P and W2K machines no problem. Do have another question regarding Internet Access?

We have a Broad Band router that requires two DNS and a Gateway to be entered into the TCP/IP on the Client workstations.

Since I had to add the IP address of the server into the workstations for the GPO to work they have no Internet access? Have tried setting different orders to the DNS on the clients but to no avail. Any help would be gratefully received.

Thanks again,
Tim
 
Upvote 0 Downvote
You must use your DNS server for Active Directory functions to work correctly. I believe if you set up your AD DNS server to use the other two addresses for name resolution your problem should be resolved. You would leave the gateway where it has always been. Thanks.

Mike
 
Upvote 0 Downvote
Set up your local DNS server as a forwarder to your ISP's DNS server. Only place the local server in the Clients DNS addresses.

Requests will be made to your DNS which it can't resolve and will pass them on to the external DNS.

Specify the router (lan side, proably 192.168.1.1) as the Gateway on the clients, unless you are DHCPing where that will need to be specified.

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
How can I restrict from people from adding more icons to the windows taskbar or completely turn it off. SO they cannot drag an icon from the desktop to the taskbar and create quick launch.
 
Upvote 0 Downvote
Create a group policy that locks and resticts the taskbar.

User Conf>Admin templates>Start menu and taskbar

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
523
MaioMaio
MaioMaio
Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
784
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
789
DrB0b
DrB0b
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
310
penguinroundup
penguinroundup
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
645
fightaccording
fightaccording

Part and Inventory Search

Sponsor

Back
Top