Sign in with
Sign up | Sign in
Your question

Restricting Window$ XP Desktop

Last response: in Windows XP
Share
June 22, 2005 12:45:31 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello all,

I'm trying to manually "lock down" a limited WinXP Pro users account.
I need to know how to apply the following restrictions in the Registry
(or some other method):

No Control Panel
No Right-clicking on desktop
Cannot alter desktop in any way (i.e. no display settings)
No "Run" command
Cannot change computer clock
Force classic start menu

Thanks.
Anonymous
June 22, 2005 3:01:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

HOW TO: Use the Group Policy Editor to Manage Local Computer Policy in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882&Product=winxp

Doug's Windows XP Security Console
http://www.dougknox.com/xp/utils/xp_securityconsole.htm

[Courtesy of MS-MVP Doug Knox]


Please visit the experts in the Group Policy newsgroup
news://msnews.microsoft.com/microsoft.public.windows.group_p­olicy

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/window...

-------------------------------------------------------------------------------------------

"Dave" wrote:

| Hello all,
|
| I'm trying to manually "lock down" a limited WinXP Pro users account.
| I need to know how to apply the following restrictions in the Registry
| (or some other method):
|
| No Control Panel
| No Right-clicking on desktop
| Cannot alter desktop in any way (i.e. no display settings)
| No "Run" command
| Cannot change computer clock
| Force classic start menu
|
| Thanks.
|
Anonymous
June 22, 2005 3:56:36 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Dave" <professorchaos75@gmail.com>

| Hello all,
|
| I'm trying to manually "lock down" a limited WinXP Pro users account.
| I need to know how to apply the following restrictions in the Registry
| (or some other method):
|
| No Control Panel
| No Right-clicking on desktop
| Cannot alter desktop in any way (i.e. no display settings)
| No "Run" command
| Cannot change computer clock
| Force classic start menu
|
| Thanks.

Group Policies

Execute:
%windir%\system32\gpedit.msc

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Related resources
Anonymous
June 23, 2005 2:34:57 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
> From: "Dave" <professorchaos75@gmail.com>
>
> | Hello all,
> |
> | I'm trying to manually "lock down" a limited WinXP Pro users account.
> | I need to know how to apply the following restrictions in the Registry
> | (or some other method):
> |
> | No Control Panel
> | No Right-clicking on desktop
> | Cannot alter desktop in any way (i.e. no display settings)
> | No "Run" command
> | Cannot change computer clock
> | Force classic start menu
> |
> | Thanks.
>
> Group Policies
>
> Execute:
> %windir%\system32\gpedit.msc
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Anonymous
June 23, 2005 11:44:12 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Doug Knox MS-MVP" <dknox@mvps.org>

| Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the
| computer.
|
| --
| Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
| Win 95/98/Me/XP Tweaks and Fixes
| http://www.dougknox.com
| --------------------------------
| Per user Group Policy Restrictions for XP Home and XP Pro
| http://www.dougknox.com/xp/utils/xp_securityconsole.htm
| --------------------------------
| Please reply only to the newsgroup so all may benefit.
| Unsolicited e-mail is not answered.

Thanx for the clarification Doug.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
September 14, 2005 12:18:02 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Doug,

Does this mean that even when the domain administrator logs into a computer
where there is a local security policy set via gpedit.msc they will not be
able to override any of the settings? How does the administrator manage the
machine then?

Thanks,
Chris

"Doug Knox MS-MVP" wrote:

> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
> > From: "Dave" <professorchaos75@gmail.com>
> >
> > | Hello all,
> > |
> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
> > | I need to know how to apply the following restrictions in the Registry
> > | (or some other method):
> > |
> > | No Control Panel
> > | No Right-clicking on desktop
> > | Cannot alter desktop in any way (i.e. no display settings)
> > | No "Run" command
> > | Cannot change computer clock
> > | Force classic start menu
> > |
> > | Thanks.
> >
> > Group Policies
> >
> > Execute:
> > %windir%\system32\gpedit.msc
> >
> > --
> > Dave
> > http://www.claymania.com/removal-trojan-adware.html
> > http://www.ik-cs.com/got-a-virus.htm
> >
> >
>
Anonymous
September 15, 2005 1:52:04 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

If you're in a domain, the domain level policies should override any local policies, as far as I'm aware.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Chris" <Chris@discussions.microsoft.com> wrote in message news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
> Doug,
>
> Does this mean that even when the domain administrator logs into a computer
> where there is a local security policy set via gpedit.msc they will not be
> able to override any of the settings? How does the administrator manage the
> machine then?
>
> Thanks,
> Chris
>
> "Doug Knox MS-MVP" wrote:
>
>> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
>> > From: "Dave" <professorchaos75@gmail.com>
>> >
>> > | Hello all,
>> > |
>> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
>> > | I need to know how to apply the following restrictions in the Registry
>> > | (or some other method):
>> > |
>> > | No Control Panel
>> > | No Right-clicking on desktop
>> > | Cannot alter desktop in any way (i.e. no display settings)
>> > | No "Run" command
>> > | Cannot change computer clock
>> > | Force classic start menu
>> > |
>> > | Thanks.
>> >
>> > Group Policies
>> >
>> > Execute:
>> > %windir%\system32\gpedit.msc
>> >
>> > --
>> > Dave
>> > http://www.claymania.com/removal-trojan-adware.html
>> > http://www.ik-cs.com/got-a-virus.htm
>> >
>> >
>>
September 15, 2005 1:52:05 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Oh, ok. But what about local admin? Are they stuck with the same policy as a
normal user then?

Thanks for your reply,
Chris

"Doug Knox MS-MVP" wrote:

> If you're in a domain, the domain level policies should override any local policies, as far as I'm aware.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "Chris" <Chris@discussions.microsoft.com> wrote in message news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
> > Doug,
> >
> > Does this mean that even when the domain administrator logs into a computer
> > where there is a local security policy set via gpedit.msc they will not be
> > able to override any of the settings? How does the administrator manage the
> > machine then?
> >
> > Thanks,
> > Chris
> >
> > "Doug Knox MS-MVP" wrote:
> >
> >> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
> >>
> >> --
> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> >> Win 95/98/Me/XP Tweaks and Fixes
> >> http://www.dougknox.com
> >> --------------------------------
> >> Per user Group Policy Restrictions for XP Home and XP Pro
> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> >> --------------------------------
> >> Please reply only to the newsgroup so all may benefit.
> >> Unsolicited e-mail is not answered.
> >>
> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
> >> > From: "Dave" <professorchaos75@gmail.com>
> >> >
> >> > | Hello all,
> >> > |
> >> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
> >> > | I need to know how to apply the following restrictions in the Registry
> >> > | (or some other method):
> >> > |
> >> > | No Control Panel
> >> > | No Right-clicking on desktop
> >> > | Cannot alter desktop in any way (i.e. no display settings)
> >> > | No "Run" command
> >> > | Cannot change computer clock
> >> > | Force classic start menu
> >> > |
> >> > | Thanks.
> >> >
> >> > Group Policies
> >> >
> >> > Execute:
> >> > %windir%\system32\gpedit.msc
> >> >
> >> > --
> >> > Dave
> >> > http://www.claymania.com/removal-trojan-adware.html
> >> > http://www.ik-cs.com/got-a-virus.htm
> >> >
> >> >
> >>
>
Anonymous
September 15, 2005 2:34:44 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Chris" <Chris@discussions.microsoft.com> wrote in message
news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
> Doug,
>
> Does this mean that even when the domain administrator logs into a
> computer
> where there is a local security policy set via gpedit.msc they will not be
> able to override any of the settings? How does the administrator manage
> the
> machine then?
>

In a domain use a domain group policy with loopback processing. Put the
computers in a separate OU with the appropriate group policy in loopback
mode. Give the domain admins group deny read permission for the policy so it
won't be applied to them.

Kerry
Anonymous
September 15, 2005 3:29:49 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Since I don't work with a domain environment, I can't answer that definitively. A local Admin should have the same privileges that are allowed via your domain group policy.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Chris" <Chris@discussions.microsoft.com> wrote in message news:9353404B-5340-460E-9E1C-EB1D40C01C76@microsoft.com...
> Oh, ok. But what about local admin? Are they stuck with the same policy as a
> normal user then?
>
> Thanks for your reply,
> Chris
>
> "Doug Knox MS-MVP" wrote:
>
>> If you're in a domain, the domain level policies should override any local policies, as far as I'm aware.
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "Chris" <Chris@discussions.microsoft.com> wrote in message news:6B751E40-5AB7-4AD0-B573-87DCD51CC885@microsoft.com...
>> > Doug,
>> >
>> > Does this mean that even when the domain administrator logs into a computer
>> > where there is a local security policy set via gpedit.msc they will not be
>> > able to override any of the settings? How does the administrator manage the
>> > machine then?
>> >
>> > Thanks,
>> > Chris
>> >
>> > "Doug Knox MS-MVP" wrote:
>> >
>> >> Note, in a non-domain environment, restrictions set thru GPEDIT apply to all users on the computer.
>> >>
>> >> --
>> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> >> Win 95/98/Me/XP Tweaks and Fixes
>> >> http://www.dougknox.com
>> >> --------------------------------
>> >> Per user Group Policy Restrictions for XP Home and XP Pro
>> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> >> --------------------------------
>> >> Please reply only to the newsgroup so all may benefit.
>> >> Unsolicited e-mail is not answered.
>> >>
>> >> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23jzh7L0dFHA.3184@TK2MSFTNGP15.phx.gbl...
>> >> > From: "Dave" <professorchaos75@gmail.com>
>> >> >
>> >> > | Hello all,
>> >> > |
>> >> > | I'm trying to manually "lock down" a limited WinXP Pro users account.
>> >> > | I need to know how to apply the following restrictions in the Registry
>> >> > | (or some other method):
>> >> > |
>> >> > | No Control Panel
>> >> > | No Right-clicking on desktop
>> >> > | Cannot alter desktop in any way (i.e. no display settings)
>> >> > | No "Run" command
>> >> > | Cannot change computer clock
>> >> > | Force classic start menu
>> >> > |
>> >> > | Thanks.
>> >> >
>> >> > Group Policies
>> >> >
>> >> > Execute:
>> >> > %windir%\system32\gpedit.msc
>> >> >
>> >> > --
>> >> > Dave
>> >> > http://www.claymania.com/removal-trojan-adware.html
>> >> > http://www.ik-cs.com/got-a-virus.htm
>> >> >
>> >> >
>> >>
>>
!