none
Restrict SteadyState Admin Console to Domain Admins RRS feed

  • Question

  •  

    We are using SteadyState in an internal training lab. We need our users to have local admin rights to install software for and during and the training sessions. Therefore we would like to restrict access to the SteadyState and WDP to domain admins only, to prevent the users from saving changes permanently, or shutting WDP down completely.

     

    Our users need to use their domain accounts for the training, so using the local accounts is not an option.

     

    We do not require other restrictions, as they should be able to configure and use the PC as they would there own workstations.

     

    Appreciate any Ideas...

     

    Thursday, October 11, 2007 9:36 AM

Answers

  • Hi Steady_Ed,

     

    To achieve this, you can configure a group policy and then apply it to all the lab computers.

    -------------------------

    1. Create a group policy on your Domain Controller.

    2. Locate: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules

    3. Right click the blank space and then choose “New Hash Rule”.

    4. Locate the SteadyState program: C:\Program Files\Windows SteadyState\SCTUI.exe. Configure Security Level as Disallowed and click OK.

    5. Link the group policy to the lab computer OU.

     

    To keep this policy from applying to domain admins, you can refer to the following article to change the permissions of the policy.

     

    How To Keep Domain Group Policies from Applying to Administrator

    http://support.microsoft.com/?id=315675

     

    In addition, when configuring WDP, please also select “Don not warn the administrator about losing changes before log off, restart, or shut down” option. This option will disable the WDP warning message when administrators log off, restart, or shut down. 

     

    Best Regards,

    Friday, October 12, 2007 8:39 AM

All replies

  • Hi Steady_Ed,

     

    To achieve this, you can configure a group policy and then apply it to all the lab computers.

    -------------------------

    1. Create a group policy on your Domain Controller.

    2. Locate: Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules

    3. Right click the blank space and then choose “New Hash Rule”.

    4. Locate the SteadyState program: C:\Program Files\Windows SteadyState\SCTUI.exe. Configure Security Level as Disallowed and click OK.

    5. Link the group policy to the lab computer OU.

     

    To keep this policy from applying to domain admins, you can refer to the following article to change the permissions of the policy.

     

    How To Keep Domain Group Policies from Applying to Administrator

    http://support.microsoft.com/?id=315675

     

    In addition, when configuring WDP, please also select “Don not warn the administrator about losing changes before log off, restart, or shut down” option. This option will disable the WDP warning message when administrators log off, restart, or shut down. 

     

    Best Regards,

    Friday, October 12, 2007 8:39 AM
  • Limiting access to SCTUI.EXE seems fairly reasonable, whether in a Domain or Workgroup scenario; however, how would this affect using a VB script to change the WMI values to control Windows Disk Protection?  Is there a way to block this, as well?
    Monday, August 18, 2008 1:57 PM