Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Well from what you describe, that can not be done effectively because to do
everything else would require the user to be a local administrator. Local
administrators can of course install software. You can "hide" access to My
Network Places [user configuration/administrative templates/desktop] but
that still leaves ways for a user to search network shares via the browse
list with command line tools, etc. as long as netbios over tcp/ip is enabled
on the network. You really need to depend on share permissions to restrict
what a user can access on a network and not worry about what they can see. I
can see the vault of my bank when I walk in but that does not mean I can get
inside of it and loot it if I was so inclined.
If there is some way that the group can be a member of the local users
group only on domain computers then they will not be able to install most
software such as software that can be used by all users or software that
writes to the program files folder or system folder. If the client computers
are using XP Pro you can use Software Restriction Policies to restrict what
they can run and install with hash and path rules and the local
administrators can also be restricted by configuring the enforcement rule
though a knowledgeable user may figure out he can boot into safe mode to
bypass SRP if he is a local administrator. There are Group Policy settings
in Windows 2000 under user configuration/administrative templates/system
that can restrict what applications a user runs if the application can not
be renamed but that will apply to only domain users when configured at the
domain/OU level and any user with local administrator capabilities can logon
to the computer locally via an account they create to bypass Group Policy
user configuration applied at the domain/OU level.
If you absolutely have to make the users local administrators it still will
be worthwhile trying to use Group Policy to restrict them as many user may
not even know the concept of an administrator account but you have to beware
that it is not near a foolproof solution, particularly for the long run as
some users figure out how to bypass policy and others catch on. Also make
sure you read the full description of any Group Policy setting before you
implement it and set it up on a test OU before rolling out to all users. ---
Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 -- adding
setup.exe, msiexec.exe, and install.exe may help for instance..
http://tinyurl.com/42dny -- the more restrictive Windows application
setting that is difficult to configure correctly.
"Courtney R" <CourtneyR@discussions.microsoft.com> wrote in message
news:C24EBDF3-FF62-4F16-A104-4A249F7703D0@microsoft.com...
> Hi.
>
> Setting up a new local domain group on our W2k Server. I'd like the log
> in
> users to do everything on the PC, EXCEPT Install programs, and search
> network
> shares. I just need to lock down those two settings for the group policy.
>
> I started to set it up yesterday, but the options are endless, both a
> blessing and curse for Windows 2000 Server.
>
> Anyone with tips, please post comments/ tips.
>
> Thanks
Facebook
Twitter
Instagram