The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
Please vote in the Forum Structure Poll. Polling will close at 2PM EST on January 21, 2025.
Calling All Windows Network Admins!
sushiboy
Registered User regular
Registered User regular
Where I work we have one computer that is for customer use. It is on a domain (with a Win2003 server). I want to be able to lock that computer down so that customers can only do things that they have business doing. As it is now, pretty much everything is open. I have been at other companies where some computers would have things such as My Computer, Control Panel, Network Neighborhood, etc blocked or disabled. How would I go about doing such a thing? What is that called? Thanks in advance!
Wii - 5850 0852 0940 2934
AC:CF - 1032 4742 8889
PM me if you add any of my codes
AC:CF - 1032 4742 8889
PM me if you add any of my codes
sushiboy on
0
Posts
You need to research group policies.
Your basic approach would be to set up a group in active directory, put that machine in the group then apply a group policy to the group.
Group policies are pretty complex though, you're gonna need to do some reading.
Tall-Paul MIPsDroid
Best thing is before you do anything, do some reading on Group Policy and extablish exactly what you want to hide before you do anything. GP isn't the most user friendly tool in the box.
Tallus is quite right about setting it up initially as a group in AD, then applying the group policy to that group. In fact, there's so much truth in all the responses you've gotten, there's
http://www.amazon.com/70-290-Microsoft-Environment-Networking-Technology/dp/1423902890/ref=sr_1_21?ie=UTF8&s=books&qid=1242309758&sr=1-21
This is the text book I had for Server 2003 and it really helped explain how to set up group policies (amongst many other things). If you were to get a book, this would be the one I'd get.
You want to create an Organizational Unit (basically a folder in your AD) which is what you apply group policy to.
Make a new OU in your AD somewhere sensible, call it "Public Machines" or such a thing, and Move the computer accounts you wish to be part of it into this OU.
Then you create a GPO that changes the settings you want, like locking out control panel and desktop features. You can even restrict allowed applications to a list, etc. As mentioned there is a lot to Group Policy so you'll want to do some research.
Windows guys that can lock down their system and know what they're doing must be some big brain bastards.
Tall-Paul MIPsDroid
They aren't that bad. Create a test OU, add one machine to it, then fuck around. You can't really break anything. If it gets really, really screwed up, just remove the GPO and start over.
OU is term common to all directory servers (LDAP) AFAIK. AD is inconsistent in many other ways though.
It's far easier to centrally manage client security settings in a AD/Windows environment.
No, I'm saying the confusing part is not OUs but "Group Policy" having little to do with real groups.
Yeah I never got that. Why call it group policy if you can't apply it to groups?
Yea, before I started mucking with Windows servers, I for some reason had this idea that they would be the easiest to administer. I quickly found out that was far from the case.
I think I will give that a try, and if I dont have luck with that, I guess I will dive into books regarding Group Policies. Thanks for all your help everyone!
AC:CF - 1032 4742 8889
PM me if you add any of my codes
for truth. This is exactly what I do whenever I want to try something new. I use GPOs to set my WSUS settings, install Adobe reader, flash, and Java, configure IE settings, etc for the 500+ pcs that I support
make the network do the work so you don't have to.
GPOs are intimidating when you first try and tackle them, but they really aren't that bad
Enlist in Star Citizen! Citizenship must be earned!
AC:CF - 1032 4742 8889
PM me if you add any of my codes
But hey, just start small like I did. name one specific thing you wish to set across your network, google it, making sure you add in "group policy" and read away. That's kinda how I got started.
Enlist in Star Citizen! Citizenship must be earned!
Nah, they are not the devil unless you are trying to do something complicated. At the basic level, Group Policies are just overly complex.
You can apply it to groups. You can set policies across the entire AD and permit specified groups to execute the policy. You could also consider OUs groups, if the "Group" term wasn't already assigned in Windows.
I see what you're saying, but its not entirely accurate the way you phrased it.
In addition, its infinitely easier to manage in a hierarchy tree than it would be to assign the policies to groups proper. It has its limitations, which can sometimes be worked around, but all in all, its a very effective system.
NintendoID: Nailbunny 3DS: 3909-8796-4685