none
GPO Granularity

    Question

  • Our enterprise consists of 99% laptop users who work from home approx 50% of the work week. Our AD servers run Server 2008 R2 with 7 Pro client machines. We would like to create a GPO that disables user ability to install any applications locally to their machine as well as disable any modifications to the C:\Windows\System32 directory or access the registry editor.

    The challenge we find is that there are certain abilities we would like to allow such as toggling the Wifi adapter for users whose Wifi sometimes locks up. Does this level of granularity exists when creating a GPO? Setting to Standard user basically locks down everything. Our main goal is to keep users from installing applications from a security standpoint. We would like to allow the user to access Device Manager.


    Hank Vare

    Friday, December 18, 2015 3:01 PM

Answers

  • > to allow such as toggling the Wifi adapter for users whose Wifi
     
    Should work when you add them to the network operators group.
     
    > We would like to allow the user to access Device Manager.
     
    Then it will be complicated - "viewing" is ok for standard users, but
    adding/removing hardware or updating drivers is not.
     
    Friday, December 18, 2015 3:14 PM
  • Hi,
     
    Am 18.12.2015 um 16:01 schrieb techrep43:
    > We would like to create a GPO that disables user ability to install
    > any applications locally to their machine as well as disable any
    > modifications to the C:\Windows\System32 directory or access the
    > registry editor.
     
    Thats easy: Remove them from the local group Administrators.
    Done. Establish Applocker to deny software that only needs to be
    unzipped. Thats it.
     
    There is no other way.
     
    > Setting to Standard user basically locks down everything.
     
    Thats the right way to handle it.
    What should they change?
     
    IP adress?
    -> Networkconfiguration Operators on this machine
     
    Access RDP on this machine?
    -> RemotedesktopUsers of this machhine
     
    Poor Software that doesn´t run?
    -> extend NTFS rights in %programfiles%\poorsoftware\nameoffile
    -> or in registry HKLM
     
    All that goals can be easy implemented by GPO.
     
    An Admin is an Admin is an Admin, you can NOT! restrict him.
     
    Restricting Admins with GPOs is like being a little bit pregnant.
    You can´t be ..
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Friday, December 18, 2015 3:20 PM

All replies

  • > to allow such as toggling the Wifi adapter for users whose Wifi
     
    Should work when you add them to the network operators group.
     
    > We would like to allow the user to access Device Manager.
     
    Then it will be complicated - "viewing" is ok for standard users, but
    adding/removing hardware or updating drivers is not.
     
    Friday, December 18, 2015 3:14 PM
  • Hi,
     
    Am 18.12.2015 um 16:01 schrieb techrep43:
    > We would like to create a GPO that disables user ability to install
    > any applications locally to their machine as well as disable any
    > modifications to the C:\Windows\System32 directory or access the
    > registry editor.
     
    Thats easy: Remove them from the local group Administrators.
    Done. Establish Applocker to deny software that only needs to be
    unzipped. Thats it.
     
    There is no other way.
     
    > Setting to Standard user basically locks down everything.
     
    Thats the right way to handle it.
    What should they change?
     
    IP adress?
    -> Networkconfiguration Operators on this machine
     
    Access RDP on this machine?
    -> RemotedesktopUsers of this machhine
     
    Poor Software that doesn´t run?
    -> extend NTFS rights in %programfiles%\poorsoftware\nameoffile
    -> or in registry HKLM
     
    All that goals can be easy implemented by GPO.
     
    An Admin is an Admin is an Admin, you can NOT! restrict him.
     
    Restricting Admins with GPOs is like being a little bit pregnant.
    You can´t be ..
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Friday, December 18, 2015 3:20 PM
  • I agree to a certain extent here. You can definitely delegate granular admin rights, much more so than with group policy, using a tool like System Frontier. There are tons of use cases where a user needs certain admin rights, but not others.

    There are lot of ways to accomplish most of this as is stated above, but sometimes a purpose built tool can make life so much easier in the long run.

    Thursday, January 28, 2016 11:40 PM