Re: Locking down a stand-alone 2000 Server with Group Poicy

From: Phillip McCollum (pmccollum_at_sanmanuel.com)
Date: 09/30/03

  • Next message: Tomas Wolf: "Re: protect MS Windows 95/98/Me" 
    Date: Mon, 29 Sep 2003 20:44:21 -0700
To: security-basics@securityfocus.com

    Hi Al,

    Since Local Machine Policy applies to all local users, the best way to go
    about this is through a login script. First create a security template,
    and then apply this template in the logon script (using secedit.exe) for
    the required users.

    Hope this helps,
    Phillip

    At 07:59 AM 9/29/2003, you wrote:
    >Apologies if this is slightly off topic, but I have a stand-alone laptop
    >running windows 2000 and it will be used for training external customers.
    >I've setup a user account which they will use to log in to the machine and
    >run our company application. I need to ensure that this user account can't
    >do anything on the laptop other than run the application. Things like the
    >run command, task manager, explorer, control panel etc all must be disabled.
    >
    >I was wondering what would be the best way to achieve this without
    >purchasing external software, I've played around with the group policy
    >editor snap in, but all the setting then apply to the administrator
    >account also. Has anyone got any suggestions, I found windows help pretty
    >confusing and geared towards group policy for domains rather than
    >stand-alone machines.
    >
    >Many thanks, Al
    >
    >_________________________________________________________________
    >Stay in touch with absent friends - get MSN Messenger
    >http://www.msn.co.uk/messenger
    >
    >
    >---------------------------------------------------------------------------
    >----------------------------------------------------------------------------

    Phillip McCollum
    MCP/CNA/A+
    Network Technician II
    San Manuel Band of Mission Indians
    pmccollum@sanmanuel.com

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Tomas Wolf: "Re: protect MS Windows 95/98/Me"

    Relevant Pages

    • RE: EVENT ID 1000 and 1202 events in Application Log afterimporting a security template
      ... EVENT ID 1000 and 1202 events in Application Log afterimporting a security template ... I have seen this issue when you rename administrator account, ... the policy to rename the Admin account both at the same time. ... which is true for most policy settings. ...
      (Focus-Microsoft)
    • Re: Erratic slow login Win2k3 from XP SP2 - Profile GPO issue log
      ... I am not sure what the attempts to find .Net Framework policy ... Timeout in processing login script, profile, CSE ... now link your policies one at a time to it. ...
      (microsoft.public.windows.group_policy)
    • Re: Local Policy question
      ... opened the mmc and added the two snap-ins, ... local policy but how would I connect to another computer to apply my local ... > a security template that contains all setting ... > Roger Abell ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Powerful login script??
      ... Another way to solve this is to put your company's policy in the "Message ... > 3000 client computers will need to have SQL Server ODBC/OLEDB drivers installed IF you want the login script to run on each computer ... > The login script will be triggered by a GPO and will always run. ... The script will have logic to determine whether to popup your ...
      (microsoft.public.windows.server.scripting)
    • Re: Logon Script not running on stations
      ... What was the purpose of changing the scope of the login script? ... that once you move it to a container with only computers then user settings ... >I moved a .bat file logon script from the default doamin policy to a OU ...
      (microsoft.public.win2000.networking)