Limiting access to the Control Panel.

[rasczak]

http://support.microsoft.com/kb/307882/en-us

i used this link for 100's of student desktops running xp at the elementary school i was working for.

in order to have it run for a limited account you need to run this and create the policy as an administrator.

then log off and log back, be careful to make sure you have access tot he console that you create, preferably saving it to you my documents folder,

then once the policy is in effect, log out and log is as the limited account you want to lock down. you'll see the effects right off the bat.

go back into the adminstrator account and access your console and disable the changes you made and log back in as an administrator. the changes should take place for the loimited account only and the administrator will be fine.

rememerb tho taht if you have multiple profiles on that machine, each profile will have those lock downs in effect.
i can't remember how to disable for the other profiles because it's been a while since i have touched thos machines, but i'm sure you'll figure it out 🙂

 

[NogginBoink]

You're managing hundreds of computers using LOCAL group policy!?!?

Wow, what a nightmare! That's what domain, site, and OU policies are for!

 

[ManBearPig]

Ok, i have yet to try what jp says, but heres a couple of things im wondering:

1)how come the gpedit.msc settings dont stay?
2)how can i limit/stop limited account downloads? preferably of certain things, like .exes.
3)how can i remove the shut down computer button from the limited account? System mechanic allows this, but it too keeps coming back.

You guys thing CCleaner is undoing these changes?

 

[GeekDrew]

Originally posted by: Heen05
Ok, i have yet to try what jp says, but heres a couple of things im wondering:

1)how come the gpedit.msc settings dont stay?
2)how can i limit/stop limited account downloads? preferably of certain things, like .exes.
3)how can i remove the shut down computer button from the limited account? System mechanic allows this, but it too keeps coming back.

You guys thing CCleaner is undoing these changes?

1) Make sure that the account you are using is a member of the Admins group, and that the appropriate NTFS permissions are set, if applicable. I've seen that happen before when policies were defined... when the user tried to save a policy, but did not have write access to the appropriate resource, it silently failed.

2) An internet gateway device, such as a proxy server.

3) Either group policy or a quick registry edit will take care of this, can't remember which it is. I'm sure you can find it on the MS KB or Google.

 

[rasczak]

Originally posted by: NogginBoink
You're managing hundreds of computers using LOCAL group policy!?!?

Wow, what a nightmare! That's what domain, site, and OU policies are for!

yea it was a nightmare, but the school district wasn't completely moved over to a domain environment atm. the reason was taht we were still using novell 5.x as our server and started migrating over to a win2k3 server domain.


as for heen05

open up gpedit.msc and navigate here,
user configuration > admin templates > start menu > remove and prevent access to the shut down command.

to set the template, make sure you save your gpedit.msc console on your admin desktop, then log off and log back on for every use you want this configuraation to affect.

then log back as admin and disable the configuations that you made, remember to use disable not "not configured".

then allthe changes will only apply to those profiles that you wanted to have locked down.

hope this helps.

joe

 

[GeekDrew]

Originally posted by: jpbelauskas
yea it was a nightmare, but the school district wasn't completely moved over to a domain environment atm. the reason was taht we were still using novell 5.x as our server and started migrating over to a win2k3 server domain.

You do know that Novell 5.x and ZenWorks can do just about everything Win2003 domains can do, including group policy, right?

 

[ManBearPig]

JP, so youre saying to change the limited to an admin acount, do the changes i want, and after each one log off then log on, and then go to MY admin account, set whatever i i changed there to disable, and then change the other account to limited again, right?

thanks.

 

[rasczak]

Originally posted by: GeekDrew

Originally posted by: jpbelauskas
yea it was a nightmare, but the school district wasn't completely moved over to a domain environment atm. the reason was taht we were still using novell 5.x as our server and started migrating over to a win2k3 server domain.

You do know that Novell 5.x and ZenWorks can do just about everything Win2003 domains can do, including group policy, right?

I did but our net adm didn't want to go that route with novell, he wanted an excuse to deploy server 2k3, so he made novell look clunky and diificult to manage.

as for heen, yes, taht is correct, sorry I took so long.

 

[scottws]

Originally posted by: wlee
I think you should prob look into setting up a Terminal Server ( or Citrix *IF* you have the budget ) for your troublemaker users. It's a lot easier "murder the soul of humanity" in that environment ( crush evey last aspect of enjoyment from the computing experience )

Haha! We have a Citrix environment, and I know exactly what you mean.

 

[Robor]

For real troublemaker users just image their machine the next time they do something that screws it up. Tell them while it is the job of the IT dept to support the users and computers it is not the job of the IT dept to waste time fixing problems caused by non work related activities - especially when it's the same users over and over. Then make it clear if they do it again the next fix is a reload back to the date of that image and any lost data = their fault and their problem.

Yeah, that's not nice but if someone is a real PITA user and has a bad personality or gives attitude then it's deserved. 😉