Least Privilege

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am VERY anxious to find out how to actually get a windows xp (and 2000)
computer setup with least privilege.

I setup all my computers to start with as an adminitrator, and then give
them out to users to run. I want to be able to install what I need for them
to work, and then basically give the users no right whatsoever to the
computer as a user, other than the ability to run already installed programs.
I do not want them installing any program, changing or even seeing any
network, display, etc. settings.

I don't even want them saving files to the hard drive from Word or Excel
etc. as they have their own specific user directories on a backed up,
mapped network drive.

I also want them to be able to browse the internet and their web based
email, but not be able to install ANY chat software or ANY software
whatsoever.

Is this possible with Windows 2000 or XP? Is there anywhere I can chat
with administrators with the same concerns?

Thanks very much!

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Mark B" <MarkB@discussions.microsoft.com> wrote in message
news:F9029FA5-288D-46D2-8813-D0C8FBEB2F99@microsoft.com...
>I am VERY anxious to find out how to actually get a windows xp (and 2000)
> computer setup with least privilege.
>
> I setup all my computers to start with as an adminitrator, and then give
> them out to users to run. I want to be able to install what I need for
> them
> to work, and then basically give the users no right whatsoever to the
> computer as a user, other than the ability to run already installed
> programs.
> I do not want them installing any program, changing or even seeing any
> network, display, etc. settings.
>
> I don't even want them saving files to the hard drive from Word or Excel
> etc. as they have their own specific user directories on a backed up,
> mapped network drive.
>
> I also want them to be able to browse the internet and their web based
> email, but not be able to install ANY chat software or ANY software
> whatsoever.
>
> Is this possible with Windows 2000 or XP? Is there anywhere I can chat
> with administrators with the same concerns?
>

Are using active directory? If you are try using group policy to lock out
specific things like changing display settings, where they can save files,
installing programs etc.

Kerry

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Active Directory is a server function, not Win2K or XP

"Kerry Brown" wrote:

> "Mark B" <MarkB@discussions.microsoft.com> wrote in message
> news:F9029FA5-288D-46D2-8813-D0C8FBEB2F99@microsoft.com...
> >I am VERY anxious to find out how to actually get a windows xp (and 2000)
> > computer setup with least privilege.
> >
> > I setup all my computers to start with as an adminitrator, and then give
> > them out to users to run. I want to be able to install what I need for
> > them
> > to work, and then basically give the users no right whatsoever to the
> > computer as a user, other than the ability to run already installed
> > programs.
> > I do not want them installing any program, changing or even seeing any
> > network, display, etc. settings.
> >
> > I don't even want them saving files to the hard drive from Word or Excel
> > etc. as they have their own specific user directories on a backed up,
> > mapped network drive.
> >
> > I also want them to be able to browse the internet and their web based
> > email, but not be able to install ANY chat software or ANY software
> > whatsoever.
> >
> > Is this possible with Windows 2000 or XP? Is there anywhere I can chat
> > with administrators with the same concerns?
> >
>
> Are using active directory? If you are try using group policy to lock out
> specific things like changing display settings, where they can save files,
> installing programs etc.
>
> Kerry
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Mark B" <MarkB@discussions.microsoft.com> wrote in message
news:AA5A14AA-34C0-44B9-9BA8-95C7366EA276@microsoft.com...
> Active Directory is a server function, not Win2K or XP
>

Active Directory is a network service. All computers, users, and devices on
the network can use it. It runs on a server or servers.

http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp

I was assuming you were an administrator for a network. If the network uses
AD you can use group policies so the W2k and XP machines do what you want.
The link is for Server 2003 but most of it applies to Server 2000 as well.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/featured/gp/default.mspx

If they are in a work group you can use group policies on the XP Pro
machines but you have to manually set the policies on each machine.

http://www.theeldergeek.com/group_policy_for_windows_xp_prof.htm

If you have more than a few machines networked together you should be
looking at implementing some form of management. AD and group policy is the
Microsoft way. There are other methods for Linux and Novell servers which
may or may not involve Active Directory.

Kerry