Need Help setting Security Permissions for a new group...H..

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi.

Setting up a new local domain group on our W2k Server. I'd like the log in
users to do everything on the PC, EXCEPT Install programs, and search network
shares. I just need to lock down those two settings for the group policy.

I started to set it up yesterday, but the options are endless, both a
blessing and curse for Windows 2000 Server.

Anyone with tips, please post comments/ tips.

Thanks
1 answer Last reply
More about need setting security permissions group
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Well from what you describe, that can not be done effectively because to do
    everything else would require the user to be a local administrator. Local
    administrators can of course install software. You can "hide" access to My
    Network Places [user configuration/administrative templates/desktop] but
    that still leaves ways for a user to search network shares via the browse
    list with command line tools, etc. as long as netbios over tcp/ip is enabled
    on the network. You really need to depend on share permissions to restrict
    what a user can access on a network and not worry about what they can see. I
    can see the vault of my bank when I walk in but that does not mean I can get
    inside of it and loot it if I was so inclined.

    If there is some way that the group can be a member of the local users
    group only on domain computers then they will not be able to install most
    software such as software that can be used by all users or software that
    writes to the program files folder or system folder. If the client computers
    are using XP Pro you can use Software Restriction Policies to restrict what
    they can run and install with hash and path rules and the local
    administrators can also be restricted by configuring the enforcement rule
    though a knowledgeable user may figure out he can boot into safe mode to
    bypass SRP if he is a local administrator. There are Group Policy settings
    in Windows 2000 under user configuration/administrative templates/system
    that can restrict what applications a user runs if the application can not
    be renamed but that will apply to only domain users when configured at the
    domain/OU level and any user with local administrator capabilities can logon
    to the computer locally via an account they create to bypass Group Policy
    user configuration applied at the domain/OU level.

    If you absolutely have to make the users local administrators it still will
    be worthwhile trying to use Group Policy to restrict them as many user may
    not even know the concept of an administrator account but you have to beware
    that it is not near a foolproof solution, particularly for the long run as
    some users figure out how to bypass policy and others catch on. Also make
    sure you read the full description of any Group Policy setting before you
    implement it and set it up on a test OU before rolling out to all users. ---
    Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 -- adding
    setup.exe, msiexec.exe, and install.exe may help for instance..
    http://tinyurl.com/42dny -- the more restrictive Windows application
    setting that is difficult to configure correctly.

    "Courtney R" <CourtneyR@discussions.microsoft.com> wrote in message
    news:C24EBDF3-FF62-4F16-A104-4A249F7703D0@microsoft.com...
    > Hi.
    >
    > Setting up a new local domain group on our W2k Server. I'd like the log
    > in
    > users to do everything on the PC, EXCEPT Install programs, and search
    > network
    > shares. I just need to lock down those two settings for the group policy.
    >
    > I started to set it up yesterday, but the options are endless, both a
    > blessing and curse for Windows 2000 Server.
    >
    > Anyone with tips, please post comments/ tips.
    >
    > Thanks
Ask a new question

Read More

Policy Windows