Re: Locking Down A Computer Lab

From: Nepatsfan (nepatsfan_at_SBXXXIX.com)
Date: 05/17/05

  • Next message: sidey: "Re: Removing all norton products...." 
    Date: Tue, 17 May 2005 00:28:46 -0400

    Glad to hear you're making progress. Keep in mind that the
    suggestions I passed along cover only the most basic issues
    you'll need to address. Unless you want to find out how creative
    the kids can be I'd suggest that you tighten your security ASAP.
    You can either use the Local Group Policy or, as suggested by
    Terry King, use Doug Knox's Security Console.

    Good luck 

    -- 
Nepatsfan
"mjfmn" <mjfmn@discussions.microsoft.com> wrote in message 
news:9020F4FC-3AB0-4E6C-8DF5-407FE20F6AE4@microsoft.com...
> Nepatsfan, that was great!  I got everything done in just a 
> couple hours!
> Now I can move on to other issues - like writing a Proper Usage 
> document all
> the kids have to sign!
>
> Thanks again!
>
> Mike
>
> "Nepatsfan" wrote:
>
>> I'm guessing that these machines are not part of a domain. If
>> they are, post back with that info as that would make a big
>> difference in my answer. I'm also guessing that you have the
>> Professional version of XP as opposed to Home Edition.
>>
>> That said, here are some suggestions you might consider
>> implementing:
>>
>> 1. Put passwords on both the built in administrator account 
>> and
>> the account you created that is a member of the administrators
>> group. Make sure it's something you'll remember but your users
>> won't be able to guess. It's OK if it's the same for both
>> accounts.
>>
>> If these machines have floppy drives or, better yet, you have 
>> a
>> USB flash drive you might want to run the "Forgotten Password
>> wizard". Here's how:
>>
>> http://www.petri.co.il/what's_the_password_reset_disk_in_windows_xp.htm
>>
>> I'd suggest leaving the limited account with a blank password.
>>
>> 2. Configure all machines to logon with the limited accounts 
>> by
>> doing the following:
>>
>> Go to Start -> Run.
>> Enter the following into the Open box:
>>
>> control userpasswords2
>>
>> Click OK.
>> Uncheck "Users must enter a user name and password to use this
>> computer".
>> In the box that pops up, replace Administrator in the "User 
>> Name"
>> box with your limited user account. Enter your password twice.
>> Note: You can leave the password box blank if your account 
>> does
>> not have a password.
>> Click OK twice and reboot to see if you get the desired 
>> results.
>>
>> When you want to logon with your administrative account you 
>> can
>> log off the limited account. The Welcome screen will be 
>> displayed
>> which should contain the icon for your administrative account.
>> Alternatively, you can hold down the shift key while windows 
>> is
>> starting. This will bring you directly to the Welcome screen.
>>
>> 3. If running XP Professional in a workgroup:
>>
>> Right click on My Computer and select Manage from the drop 
>> down
>> menu.
>> In the Local Users and Groups section click on the Users.
>> Right click on the limited account and select Properties.
>> Put a check mark in the box next to "User cannot change 
>> password"
>> as well as "Password never expires".
>> This should prevent someone from assigning a password to this
>> account. If you don't do this you're probably going to find
>> yourself having to reset the password often.
>>
>> 4. If you plan on using the Local Group Policy to restrict the
>> limited accounts you will need to use one of the procedures
>> outlined in these articles to prevent the policies from being
>> applied to members of the administrators group:
>>
>> Applies to XP as well as Win2K:
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B293655
>>
>> Group policy in a workgroup:
>> http://www.theeldergeek.com/gp07.htm
>>
>> Be careful with Group Policy. It's not that hard to configure 
>> it
>> in such a way that you lock yourself out of the computer.
>>
>> Good luck
>>
>> -- 
>> Nepatsfan
>> "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
>> news:38DC0237-0AE0-4C91-85C0-FCC9C7644890@microsoft.com...
>> > Jerry, thanks for the response.  Sadly, I don't have the
>> > opportunity to get
>> > those books (we don't even have a book store in our little
>> > town), or that
>> > much time.  The lab goes into use on Tuesday, May 17th.  If
>> > someone could
>> > just tell me what I need to do to accomplish these two tasks
>> > (going to a
>> > restricted user at boot and / or changing the default login 
>> > to
>> > a restricted
>> > user), that would get me far enough to lock it down by the 
>> > time
>> > the doors
>> > open.
>> >
>> > Thanks again!
>> > Mike
>> >
>> > "Jerry" wrote:
>> >
>> >> Try the Group Policy Editor and do some reading:
>> >>
>> >> Windows XP Booklist
>> >>
>> >> Microsoft Windows XP Inside Out 2nd ed  ISBN 0-7356-2044-X
>> >> Microsoft Windows XP Professional Resource Kit 2nd ed  ISBN
>> >> 0-7356-1974-3
>> >> Microsoft Windows Command-Line  ISBN 0-7356-2038-5
>> >> Windows XP Pro 2nd ed The Missing Manual  ISBN 
>> >> 0-596-00898-8
>> >> Windows XP in a Nutshell, 2nd Edition  ISBN 0-596-00900-3
>> >> Windows XP Annoyances, 2nd ed  ISBN 0-596-00876-7
>> >> Windows XP Hacks, 2nd ed  ISBN 0-596-0000918-6
>> >> Windows XP Solutions  ISBN 0-7645-6773-X
>> >> Windows XP Speed Solutions  ISBN 0-7645-7814-6
>> >> Guide to Home Networking  ISBN 0-7645-4473-X
>> >>
>> >> Downloadable Guides
>> >>
>> >> XP Tweak Guide (TweakGuides_XPTC.zip) from
>> >> wwww.TweakGuides.com
>> >> Windows Registry Guide (registryguide2003.exe) from
>> >> www.winguides.com
>> >> Error Message for Windows (MSWinErr.zip) from
>> >> www.gregorybraun.com
>> >>
>> >> "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
>> >> news:1B199E31-2849-4524-BA18-4C59387D6031@microsoft.com...
>> >> > Hello!  I have 16 XP SP2 machines I just installed in a
>> >> > computer lab, and
>> >> > I
>> >> > want to lock them down.  I got each of them setup today,
>> >> > used a password
>> >> > for
>> >> > the administrator, then setup a new user for each one
>> >> > (lab01, lab02,
>> >> > etc.).
>> >> > When I was all done I wanted to change the permission on 
>> >> > the
>> >> > user from
>> >> > administrator level to restricted, so I rebooted, went 
>> >> > into
>> >> > safe mode as
>> >> > administrator.  I was told I couldn't change the user 
>> >> > from
>> >> > administrator
>> >> > because there had to be one computer administrator (I
>> >> > thought the
>> >> > "administrator" log in was that?).  I created a new user
>> >> > that I would give
>> >> > low rights to, but when the computer is booted up it 
>> >> > gives
>> >> > the option of
>> >> > choosing a users - that kind of negates what I'm trying 
>> >> > to
>> >> > do!  I'd just
>> >> > like
>> >> > it so the computer boots up to the restricted user.
>> >> >
>> >> > I need to lock down these computer so no one installs any
>> >> > software,
>> >> > disables
>> >> > antivirus or Adaware, etc.  Does anyone have any tips I 
>> >> > can
>> >> > use?  Thanks
>> >> > so
>> >> > much!
>> >> >
>> >> > Mike, MIS Director
>> >>
>> >>
>> >>
>>
>>
>>
  • Next message: sidey: "Re: Removing all norton products...."

    Relevant Pages