none
Group level vs. SS restrictions RRS feed

  • Question

  • Do the group level and the SS restrictions mesh together or does take precidence over the other?

    Wednesday, September 5, 2007 2:54 PM

Answers

  • Hi Texkonc,

     

    Thank you for the detailed background information.

     

    Please understand administrator accounts can open SteadyState and make changes. Thus, the restrictions in your profile templates may be modified by administrator users. If you would like to prevent users from doing this, you may consider the following restrictions in SteadyState:

     

    1. Open SteadyState -> User Setting, click one user account.

    2. Under Windows Restrictions -> General Restrictions, select the following check boxes: (Which will prevent users from editing group polices)

     

     Prevent access to the registry editor

     Disable System Tools and other management programs

     

    3. Under Block Programs, click Brower to locate SteadyState program: C:\Program Files\Windows SteadyState\SCTUI.exe. Click Block to add it to the block list.

     

     

    To restrict some specific websites, you can use IE’s Content Advisor feature. Please refer to the following thread:

     

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1909916&SiteID=69

     

    Please also understand that SteadyState only make restrictions to user profile. It’s still recommend installing antivirus and antispyware programs to protect the computers.

     

    Best Regards,

    Wednesday, September 12, 2007 7:29 AM

All replies

  • Hi Texkonc,

     

    What’s the “Group level” you refer to.

     

    If it means the User Group, please refer to the following information.

     

    The restrictions under “Global Computer Settings” will apply to the computer object, which means every user/group will be affected.

     

    SteadyState restrictions for user accounts were implemented using group policy and registry changes. When a user is created and added to a group. The group template which contains needed group policies will be applied to the user profile. After configuring SteadyState restrictions, related group policy settings will also be written to the user profile. If they are conflict with the original polices, the original ones will be overwritten. On the other hand, if you restore the group policies manually, the corresponding restriction options in SteadyState will be uncheck automatically.

     

    If anything is unclear, feel free to let me know. 

     

    Best Regards,

    Friday, September 7, 2007 7:06 AM
  • This is what I meant:

    You have an admin and give them medium restrictions in SS, and have a non-admin with medium restictions in SS; the two accounts wont be the same even with the SS restrictions because of the group memberships.  The medium restirictions will not throw out the admin policy if using SS, it will just restrict an admin more.

    Tuesday, September 11, 2007 12:05 AM
  • Hi Texkonc,

     

    Your understanding is correct. SteadyState restriction group policies only overwrite corresponding policies which came from user group. It will not change your user group. Based on my experience, restricted user can be used under most of public circs. Would you please explain your situation more? May be we can start with an restricted user and then add more privilege to it.

     

    Regards,

    Tuesday, September 11, 2007 2:14 AM
  • Right now I am testing it to be deployed to over 1,000 workstations in the future.  I am just running one test box at corporate right now, we are going to field test the software to one of new store with just one PC in the office.  We want to help elimiate virus/spyware and lock down users.

    Every field user is an admin.  we want to help restrict sites like Myspace, etc....

    The field computers are not domain pc, just authenticated by local machine.

    A majority of our locations do their office applications on local machine, and do the sales and event planning in a Terminal session.

    I have only been with the company for about a month, and I want to slow down the time I spend on cleaning an infected computer.

    Since all the computers are already imaged, what I was going to do is make profile templates and use the import/export.  then keep all the accounts in a ZIP/RAR and pull certin users when needed.  The users logon is their title with the location number in it, so that makes it easy for templates.

     

    Tuesday, September 11, 2007 2:52 AM
  • Hi Texkonc,

     

    Thank you for the detailed background information.

     

    Please understand administrator accounts can open SteadyState and make changes. Thus, the restrictions in your profile templates may be modified by administrator users. If you would like to prevent users from doing this, you may consider the following restrictions in SteadyState:

     

    1. Open SteadyState -> User Setting, click one user account.

    2. Under Windows Restrictions -> General Restrictions, select the following check boxes: (Which will prevent users from editing group polices)

     

     Prevent access to the registry editor

     Disable System Tools and other management programs

     

    3. Under Block Programs, click Brower to locate SteadyState program: C:\Program Files\Windows SteadyState\SCTUI.exe. Click Block to add it to the block list.

     

     

    To restrict some specific websites, you can use IE’s Content Advisor feature. Please refer to the following thread:

     

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=1909916&SiteID=69

     

    Please also understand that SteadyState only make restrictions to user profile. It’s still recommend installing antivirus and antispyware programs to protect the computers.

     

    Best Regards,

    Wednesday, September 12, 2007 7:29 AM