GPEDIT or similiar functionality for restricting computer access.

[Saga]

Does anyone happen to have handy a link to and/or name of any publications which may assist me in setting up restrictions on Windows XP Pro based work PCs? I've been assigned to investigate the ability to possibly make a group policy which simply effects domain users and not domain admin's with the intent of blocking specific abilities within the PC - Installing Software, Windows Updates, accessing registry and the group policy editor. The intent is to have these settings only effect the domain users so that the domain administrator accounts still have access to anything on the computers. Unfortunately I know little to nothing about this aside from my own escapades with the gpedit utility which usually resulted in fun modifications to annoy roommates in college.

I know this may sound rough and it's because I do not know the correct terminology for what I'm attempting to describe, excuse my personal ignorance. Essentially any form of guidance to the proper publications would be greatly appreciated in swiftly finding a way to educate myself on this issue and attempt to draw up a plan which may serve the needs of my superiors. I?m even open to other programs or tools which may serve these needs, but at the moment something I can simply perform using what is already installed on Windows XP would be most desirable.

 

[Diaonic]

You say they are connected to a "domain" is this running active directory?

 

[Saga]

Originally posted by: Diaonic
You say they are connected to a "domain" is this running active directory?

Yes.

 

[Diaonic]

Active Directory FAQ

Just for reference, do the users have roaming profiles or are they stationary to the same machine each day?

Use this guide to get started if you have any questions feel free to ask. This is the stuff I do on a daily basis.

 

[Saga]

Profiles are stationary, checking out the guide to attempt to work something out, it's extremely helpful and I appreciate it. We don't have the ability to create new groups due to us being a small branch of a big corporation, but we do have a great group to stick seasonal workers into for moderation until we find a better solution.

 

[Diaonic]

Since the profiles are stationary you could create two new OU's ( Organizational Units) and stick all the administrative computers in one and the rest of the computers in the other. Apply a group policy to each OU for whatever restrictions you want. This is one way to do, it's not ideal but it would get the job done.

 

[Saga]

Unfortunately everything is on one corporate domain where currently each domain user is given administrative access. Not entirely sure what would be the easiest path aside from simply removing each user from the administrator domain which essentially makes them a guest when logging in. Asking for the creation of new OU's may or may not ever happen if requested, it's sort of up to our location to invent it's own solution as current corporate policy is to make each user an administrator - something which currently conflicts heavily with our seasonal workers who did the dirty from infesting computers with spyware from free web-games to in one case performing a system restore on a machine. Spending an hour re-imaging is something that seems easy when you have the time to set up and babysit it but once the season hits my schedule won't allow for even that to get done on a timely manner, thus the creation of any temp fix to get through this year would be a great time saver.

 

[nweaver]

what groups/users are in the "local administrators" group?

If you have the "Domain Users" in there, move it out and into a restricted/custom group on the LOCAL machine. Only do that on the machines used by seasonal workers, and add the admins (if they are only domain users, and not domain admins) to the local administrators group individually.

 

[Diaonic]

Personally it sounds like you have a huge can of worms on your hands. I would really try and take the steps to do this stuff at a domain level. It's only going to get worse if you start applyiing polices on individual machines.

Ideally bringing a DC into that location to manage the machines.Also giving you or someone with similar skill set the ability to manage it. :thumbsup: