Results 1 to 8 of 8

Thread: Using group policies to restrict certain users

  1. #1
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165

    Using group policies to restrict certain users

    OK here goes,
    I have been put in charge of securing a shared system with two sets of users. One set is computer savvy and know what they are doing. The other set doesn't know ****. All users run with admin rights (I know ). One of the latter users installed TONS of spyware on the comp. After cleaning, I've taken the following steps:

    1. Converted the drive to NTFS
    2. Created two sets of users. The first set has been assigned to power users. These people also have the admin password. The other set has been assigned to users.

    Now, what I want to do, is really lock down what the second set of users does. [BOFH] I mean except for playing music/movies, using MS-Office and using the internet, they have NO rights [/BOFH]. I am planning to use the group policy editor for this. However, since I've never really played with it before, I can't figure out how to assign settings to only one user or group. All settings look system-wide to me. Please help me figure this one out.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  2. #2
    If you're editing the local group policy (as opposed to a domain-based GPO), deny read permissions to all users / groups you don't want to lock down in the C:\Windows\System32\GroupPolicy folder. That way, only the users you want will be locked down.

    Of course, any time you need to make changes you'll have to log in as administrator and grant the rights back to Administrator so it can be edited...

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    are you doing that at domain scope or computer by computer?
    If you have AD, i can give you a diferent explanation than if you doing that pc by pc.....
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  4. #4
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Timmy77, thanks. That really helped. cacosapo, what I was trying to apply group policies in the local context. This is a standalone box. Also, if anyone knows, is there a more elegant way to apply the group policies? I'd like to be able to apply different policies to each group (even though what I needed to do got accomplished).

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  5. #5
    cgkanchi,

    I do not know a way to apply more than one local policy. As far as I know, you can create only one local policy, and while you can filter out who does or does not get the policy, you can't setup a second policy on the local system.

  6. #6
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Start - Run - Gpedit.msc

    Group Policy.. Xp Pro Only.. Unaviable for Home!
    -Simon \"SDK\"

  7. #7
    Member
    Join Date
    Jun 2002
    Posts
    95
    if it is windows 2000 or later, you go to:

    -> start
    -> control panel
    -> administrative tools
    -> local security policy

    in there, you can set as many policies you like. (btw, it's just like Active Directory to use, piece of pie).

    good luck!

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    The way I usually break out different policies for different groups of people is to specify different OUs inside of AD.

    Then you create a default domain policy which applies to everyone, put things like password aging, and password complexity that will be the same for all users here. Use the no override feature on this policy to make sure that somebody managing a sub OU cannot write a policy that will knock out your domain policy.

    Then you can create a GPO for each different OU. That GPO will only apply to the users who are in the OU. Always remember that the most restrictive policy is what holds except when you are using the no override on a parent OU..

    We do servers and workstations like this as well. Obviously you are going to have different policies for servers than for workstations. Rather than leave all of the machines in the general computers OU we create function specific OUs and move servers to the appropriate spot based on their function.

    Personnaly I hate doing local machine policies as they really become a bear to manage when you have a lot of machines. Using AD and GPO is the only way to go in a larger environment. However, if you don't have AD and are only managing a small handfull of machines using the local policy editor is your only answer.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •