Dave

Distinguished
Jun 25, 2003
2,727
0
20,780
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello all,

I'm trying to manually "lock down" a limited WinXP Pro users account.
I need to know how to apply the following restrictions in the Registry
(or some other method):

No Control Panel
No Right-clicking on desktop
Cannot alter desktop in any way (i.e. no display settings)
No "Run" command
Cannot change computer clock
Force classic start menu

Thanks.
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HOW TO: Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882&Product=winxp

Doug's Windows XP Security Console
http://www.dougknox.com/xp/utils/xp_securityconsole.htm

[Courtesy of MS-MVP Doug Knox]


Please visit the experts in the Group Policy newsgroup
news://msnews.microsoft.com/microsoft.public.windows.group_p­olicy

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

"Dave" wrote:

| Hello all,
|
| I'm trying to manually "lock down" a limited WinXP Pro users account.
| I need to know how to apply the following restrictions in the Registry
| (or some other method):
|
| No Control Panel
| No Right-clicking on desktop
| Cannot alter desktop in any way (i.e. no display settings)
| No "Run" command
| Cannot change computer clock
| Force classic start menu
|
| Thanks.
|
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Dave" <professorchaos75@gmail.com>

| Hello all,
|
| I'm trying to manually "lock down" a limited WinXP Pro users account.
| I need to know how to apply the following restrictions in the Registry
| (or some other method):
|
| No Control Panel
| No Right-clicking on desktop
| Cannot alter desktop in any way (i.e. no display settings)
| No "Run" command
| Cannot change computer clock
| Force classic start menu
|
| Thanks.

Group Policies

Execute:
%windir%\system32\gpedit.msc

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
> From: "Dave" <professorchaos75@gmail.com>
>
> | Hello all,
> |
> | I'm trying to manually "lock down" a limited WinXP Pro users account.
> | I need to know how to apply the following restrictions in the Registry
> | (or some other method):
> |
> | No Control Panel
> | No Right-clicking on desktop
> | Cannot alter desktop in any way (i.e. no display settings)
> | No "Run" command
> | Cannot change computer clock
> | Force classic start menu
> |
> | Thanks.
>
> Group Policies
>
> Execute:
> %windir%\system32\gpedit.msc
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Doug Knox MS-MVP" <dknox@mvps.org>

| Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the
| computer.
|
| --
| Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
| Win 95/98/Me/XP Tweaks and Fixes
| http://www.dougknox.com
| --------------------------------
| Per user Group Policy Restrictions for XP Home and XP Pro
| http://www.dougknox.com/xp/utils/xp_securityconsole.htm
| --------------------------------
| Please reply only to the newsgroup so all may benefit.
| Unsolicited e-mail is not answered.

Thanx for the clarification Doug.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
 

Chris

Distinguished
Dec 7, 2003
2,048
0
19,780
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Doug,

Does this mean that even when the domain administrator logs into a computer
where there is a local security policy set via gpedit.msc they will not be
able to override any of the settings? How does the administrator manage the
machine then?

Thanks,
Chris

"Doug Knox MS-MVP" wrote:

> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
> > From: "Dave" <professorchaos75@gmail.com>
> >
> > | Hello all,
> > |
> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
> > | I need to know how to apply the following restrictions in the Registry
> > | (or some other method):
> > |
> > | No Control Panel
> > | No Right-clicking on desktop
> > | Cannot alter desktop in any way (i.e. no display settings)
> > | No "Run" command
> > | Cannot change computer clock
> > | Force classic start menu
> > |
> > | Thanks.
> >
> > Group Policies
> >
> > Execute:
> > %windir%\system32\gpedit.msc
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If you're in a domain, the domain level policies should override any local policies, as far as I'm aware.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Chris" <Chris@discussions.microsoft.com> wrote in message news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
> Doug,
>
> Does this mean that even when the domain administrator logs into a computer
> where there is a local security policy set via gpedit.msc they will not be
> able to override any of the settings? How does the administrator manage the
> machine then?
>
> Thanks,
> Chris
>
> "Doug Knox MS-MVP" wrote:
>
>> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
>> > From: "Dave" <professorchaos75@gmail.com>
>> >
>> > | Hello all,
>> > |
>> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
>> > | I need to know how to apply the following restrictions in the Registry
>> > | (or some other method):
>> > |
>> > | No Control Panel
>> > | No Right-clicking on desktop
>> > | Cannot alter desktop in any way (i.e. no display settings)
>> > | No "Run" command
>> > | Cannot change computer clock
>> > | Force classic start menu
>> > |
>> > | Thanks.
>> >
>> > Group Policies
>> >
>> > Execute:
>> > %windir%\system32\gpedit.msc
>> >
>> > --
>> > Dave
>> > http://www.claymania.com/removal-trojan-adware.html
>> > http://www.ik-cs.com/got-a-virus.htm
>> >
>> >
>>
 

Chris

Distinguished
Dec 7, 2003
2,048
0
19,780
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Oh, ok. But what about local admin? Are they stuck with the same policy as a
normal user then?

Thanks for your reply,
Chris

"Doug Knox MS-MVP" wrote:

> If you're in a domain, the domain level policies should override any local policies, as far as I'm aware.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Chris" <Chris@discussions.microsoft.com> wrote in message news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
> > Doug,
> >
> > Does this mean that even when the domain administrator logs into a computer
> > where there is a local security policy set via gpedit.msc they will not be
> > able to override any of the settings? How does the administrator manage the
> > machine then?
> >
> > Thanks,
> > Chris
> >
> > "Doug Knox MS-MVP" wrote:
> >
> >> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
> >>
> >> --
> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> >> Win 95/98/Me/XP Tweaks and Fixes
> >> http://www.dougknox.com
> >> --------------------------------
> >> Per user Group Policy Restrictions for XP Home and XP Pro
> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> >> --------------------------------
> >> Please reply only to the newsgroup so all may benefit.
> >> Unsolicited e-mail is not answered.
> >>
> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
> >> > From: "Dave" <professorchaos75@gmail.com>
> >> >
> >> > | Hello all,
> >> > |
> >> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
> >> > | I need to know how to apply the following restrictions in the Registry
> >> > | (or some other method):
> >> > |
> >> > | No Control Panel
> >> > | No Right-clicking on desktop
> >> > | Cannot alter desktop in any way (i.e. no display settings)
> >> > | No "Run" command
> >> > | Cannot change computer clock
> >> > | Force classic start menu
> >> > |
> >> > | Thanks.
> >> >
> >> > Group Policies
> >> >
> >> > Execute:
> >> > %windir%\system32\gpedit.msc
> >> >
> >> > --
> >> > Dave
> >> > http://www.claymania.com/removal-trojan-adware.html
> >> > http://www.ik-cs.com/got-a-virus.htm
> >> >
> >> >
> >>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Chris" <Chris@discussions.microsoft.com> wrote in message
news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
> Doug,
>
> Does this mean that even when the domain administrator logs into a
> computer
> where there is a local security policy set via gpedit.msc they will not be
> able to override any of the settings? How does the administrator manage
> the
> machine then?
>

In a domain use a domain group policy with loopback processing. Put the
computers in a separate OU with the appropriate group policy in loopback
mode. Give the domain admins group deny read permission for the policy so it
won't be applied to them.

Kerry
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Since I don't work with a domain environment, I can't answer that definitively. A local Admin should have the same privileges that are allowed via your domain group policy.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Chris" <Chris@discussions.microsoft.com> wrote in message news:9353404B-5340-460E-9E1C-EB1D40C01C76@microsoft.com...
> Oh, ok. But what about local admin? Are they stuck with the same policy as a
> normal user then?
>
> Thanks for your reply,
> Chris
>
> "Doug Knox MS-MVP" wrote:
>
>> If you're in a domain, the domain level policies should override any local policies, as far as I'm aware.
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "Chris" <Chris@discussions.microsoft.com> wrote in message news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
>> > Doug,
>> >
>> > Does this mean that even when the domain administrator logs into a computer
>> > where there is a local security policy set via gpedit.msc they will not be
>> > able to override any of the settings? How does the administrator manage the
>> > machine then?
>> >
>> > Thanks,
>> > Chris
>> >
>> > "Doug Knox MS-MVP" wrote:
>> >
>> >> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
>> >>
>> >> --
>> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> >> Win 95/98/Me/XP Tweaks and Fixes
>> >> http://www.dougknox.com
>> >> --------------------------------
>> >> Per user Group Policy Restrictions for XP Home and XP Pro
>> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> >> --------------------------------
>> >> Please reply only to the newsgroup so all may benefit.
>> >> Unsolicited e-mail is not answered.
>> >>
>> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
>> >> > From: "Dave" <professorchaos75@gmail.com>
>> >> >
>> >> > | Hello all,
>> >> > |
>> >> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
>> >> > | I need to know how to apply the following restrictions in the Registry
>> >> > | (or some other method):
>> >> > |
>> >> > | No Control Panel
>> >> > | No Right-clicking on desktop
>> >> > | Cannot alter desktop in any way (i.e. no display settings)
>> >> > | No "Run" command
>> >> > | Cannot change computer clock
>> >> > | Force classic start menu
>> >> > |
>> >> > | Thanks.
>> >> >
>> >> > Group Policies
>> >> >
>> >> > Execute:
>> >> > %windir%\system32\gpedit.msc
>> >> >
>> >> > --
>> >> > Dave
>> >> > http://www.claymania.com/removal-trojan-adware.html
>> >> > http://www.ik-cs.com/got-a-virus.htm
>> >> >
>> >> >
>> >>
>>