locked
Windows XP Group Policy for a lab administrator RRS feed

  • Question

  • Hello and thank you in advance for any help that you can give me.  I am an administrator for a private computer lab at a university.  In an effort to maintain the status and security of my machines I want to prevent some of the users from making changes to the computers.  In total, I have 7 PCs that I would like to place identical policies on.  As users need access, I create an account for them and change settings so that they are "restricted users" and change their passwords upon initial login.  However, I would like to make the restrictions more stringent than they are for this kind of user.  I have looked at the group policy editor and began to change some settings, but was discouraged that I cannot make some of these changes without also affecting the administrator account.

    Overall, I want to create a group on each machine that I can put new accounts in.  I'd like it if I can create a policy for this group on one of my machines, save it to an external hard drive and import these settings on the rest of my machines to automate the process as much as is possible.

    Because I'm not comfortable making these changes, I'm hoping that I can get some advice as to which settings I should change, and where in the gpedit to look for them, to implement the following:

    1.  Create generic settings for Internet Explorer (and hopefully Mozilla Firefox by having Firefox import these settings) and put them in place to keep the users from saving history, passwords, changing the homepage and lowering the secuirty settings that I want to have on the machines.

    2.  Lock the desktop so that no files or folders can be saved there or removed from there. 

    3.  Lock all folders except the My Documents folder so that no user can save files elsewhere or delete any files.

    4.  Prevent the user from changing screensavers, desktop backgrounds, or anything in the control panel.

    5.  If this is possible, add websites to a block list if it becomes necessary.

    The IT department at the university I work for wants me to put in a "deep freeze" to save the state of all but a partition of the hard drive.  I like this idea except for the fact that some of our users would not have the credentials to log in to their setup.  Is there any way that I can implement these policies using the group policy editor?

    Thank you so much for your help.

    Friday, March 18, 2011 6:14 PM

Answers

  • Hello Jim16020,

    Well, Although you cant restrict users from all the points which you have mentioned above but you can apply some restrictions to them

    In the Group Policy, open Local Policies -> User Right Assignment and Security Options

    In these two folders you will find out policies that you can create to restrict the users.

     

    • Proposed as answer by abhijeet2rai Sunday, March 20, 2011 11:21 AM
    • Marked as answer by jrm16020 Sunday, March 20, 2011 2:42 PM
    Sunday, March 20, 2011 10:50 AM

All replies

  • Just to help with understanding, I am a graduate student employee for the University. 
    Friday, March 18, 2011 9:18 PM
  • Hello Jim16020,

    Well, Although you cant restrict users from all the points which you have mentioned above but you can apply some restrictions to them

    In the Group Policy, open Local Policies -> User Right Assignment and Security Options

    In these two folders you will find out policies that you can create to restrict the users.

     

    • Proposed as answer by abhijeet2rai Sunday, March 20, 2011 11:21 AM
    • Marked as answer by jrm16020 Sunday, March 20, 2011 2:42 PM
    Sunday, March 20, 2011 10:50 AM