September 20th, 2004 12:08 PM
Using group policies to restrict certain users
OK here goes,
I have been put in charge of securing a shared system with two sets of users. One set is computer savvy and know what they are doing. The other set doesn't know ****. All users run with admin rights (I know ). One of the latter users installed TONS of spyware on the comp. After cleaning, I've taken the following steps:
1. Converted the drive to NTFS
2. Created two sets of users. The first set has been assigned to power users. These people also have the admin password. The other set has been assigned to users.
Now, what I want to do, is really lock down what the second set of users does. [BOFH] I mean except for playing music/movies, using MS-Office and using the internet, they have NO rights [/BOFH]. I am planning to use the group policy editor for this. However, since I've never really played with it before, I can't figure out how to assign settings to only one user or group. All settings look system-wide to me. Please help me figure this one out.
September 20th, 2004 12:53 PM
If you're editing the local group policy (as opposed to a domain-based GPO), deny read permissions to all users / groups you don't want to lock down in the C:\Windows\System32\GroupPolicy folder. That way, only the users you want will be locked down.
Of course, any time you need to make changes you'll have to log in as administrator and grant the rights back to Administrator so it can be edited...
September 20th, 2004 01:04 PM
are you doing that at domain scope or computer by computer?
If you have AD, i can give you a diferent explanation than if you doing that pc by pc.....
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt.
If I die before I wake, I pray the Lord my soul to brake.
September 20th, 2004 07:32 PM
Timmy77, thanks. That really helped. cacosapo, what I was trying to apply group policies in the local context. This is a standalone box. Also, if anyone knows, is there a more elegant way to apply the group policies? I'd like to be able to apply different policies to each group (even though what I needed to do got accomplished).
September 20th, 2004 08:30 PM
I do not know a way to apply more than one local policy. As far as I know, you can create only one local policy, and while you can filter out who does or does not get the policy, you can't setup a second policy on the local system.
September 20th, 2004 09:27 PM
Start - Run - Gpedit.msc
Group Policy.. Xp Pro Only.. Unaviable for Home!
September 20th, 2004 10:48 PM
if it is windows 2000 or later, you go to:
-> control panel
-> administrative tools
-> local security policy
in there, you can set as many policies you like. (btw, it's just like Active Directory to use, piece of pie).
September 22nd, 2004 06:24 PM
The way I usually break out different policies for different groups of people is to specify different OUs inside of AD.
Then you create a default domain policy which applies to everyone, put things like password aging, and password complexity that will be the same for all users here. Use the no override feature on this policy to make sure that somebody managing a sub OU cannot write a policy that will knock out your domain policy.
Then you can create a GPO for each different OU. That GPO will only apply to the users who are in the OU. Always remember that the most restrictive policy is what holds except when you are using the no override on a parent OU..
We do servers and workstations like this as well. Obviously you are going to have different policies for servers than for workstations. Rather than leave all of the machines in the general computers OU we create function specific OUs and move servers to the appropriate spot based on their function.
Personnaly I hate doing local machine policies as they really become a bear to manage when you have a lot of machines. Using AD and GPO is the only way to go in a larger environment. However, if you don't have AD and are only managing a small handfull of machines using the local policy editor is your only answer.