Archived from groups: microsoft.public.win2000.security (
More info?)
You should consider the possibility that students may be local
administrators. You should check a couple of those computers to see. There
are easily available fee tools on the internet that allow any user who can
boot a computer from a floppy or cdrom to become local administrator by
resetting the password of the local administrator account to a password that
they know. Configuring cmos to not allow booting from anything other than
the system disk will help but you still would need to password protect the
cmos settings and make sure they can not open the computer case to reset the
cmos. Even after doing that there may be ways to discover the cmos password.
Having said that you can use Group Policy Restricted Groups to enforce local
administrator membership though be default that setting will be applied only
every 90 minutes though that period can be reduced for computer
configuration. XP Pro will allow you to use Software Restriction Policies to
manage what software users can run and install and most XP Pro Group Policy
including Software Restriction Policies [computer configuration only I
believe though] can be managed in a Windows 2000 domain. Windows 2000 does
not include SRP. You need to rely on group membership, ntfs permissions, and
Group Policy Windows application settings available under user
configuration/administrative templates/ system to manage application use
though if a user can rename an application/executable they can bypass that
Group Policy settings. To start with add setup.exe, install.exe, and
msiexec.exe to the disallowed list. The links below should help get you
started. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/?kbid=310791
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;203607
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
"B. Meincke" <garyallan@highschool.ca> wrote in message
news:A438E710-899F-4CA5-8023-4BB013802094@microsoft.com...
> Could someone please help me find a way to deny members of a certain
> domain
> group (students, in this case) from installing software on our domain's
> 2K/XP
> clients? I understood that as limited users, this would not be possible,
> but
> students still seem able to install such things as Winamp...etc. Ideally,
> I
> would like to create a group policy on the server so that I don't have to
> impliment changes over dozens of clients.
>
> Thank you in advance for any insight in this manner.
> --
> BJM
> ACE Assistant
> Gary Allan High School