Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Advice wanted on setting user permissions - Group policy etc
Advice wanted on setting user permissions - Group policy etc [message #157589] Thu, 09 July 2009 11:13 Go to next message
eggedd2k  is currently offline eggedd2k  United Kingdom
Messages: 39
Registered: July 2009
Member
I'm just in the process of setting up a couple of shiny new Dell
servers for our organisation. They're going to be replacing our
existing Windows 2000 Server infrastructure.

I want to get permissions for users correct from the start.


Basically I want to achieve the following:

- Users can run all of our core business apps
- Users cannot install any software (i.e. downloading and installing
apps etc)
- Users cannot access their C: drive (for obvious reasons)
- Users cannot access display properties (basically no custom
wallpaper/screensavers)


Locking down the C: drive etc I already have in place via Group Policy
but with regards to allowing users to run core business apps without
giving them permissions to install software I would like some advice
on.

Am I right in saying users need to be in the Power Users group?
Presumably anything higher than this is more than a users should be
able to do?

thanks in advance
Re: Advice wanted on setting user permissions - Group policy etc [message #157593 is a reply to message #157589] Thu, 09 July 2009 11:53 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"eggedd2k" <chrisnrach17@aol.com> wrote in message news:146da741-4223-4f80-a780-06b064cbf16e@b15g2000yqd.googlegroups.com...
> I'm just in the process of setting up a couple of shiny new Dell
> servers for our organisation. They're going to be replacing our
> existing Windows 2000 Server infrastructure.
>
> I want to get permissions for users correct from the start.
>
>
> Basically I want to achieve the following:
>
> - Users can run all of our core business apps
> - Users cannot install any software (i.e. downloading and installing
> apps etc)
> - Users cannot access their C: drive (for obvious reasons)
> - Users cannot access display properties (basically no custom
> wallpaper/screensavers)
>
>
> Locking down the C: drive etc I already have in place via Group Policy
> but with regards to allowing users to run core business apps without
> giving them permissions to install software I would like some advice
> on.
>
> Am I right in saying users need to be in the Power Users group?
> Presumably anything higher than this is more than a users should be
> able to do?
>
> thanks in advance


I don't think that Power Users will do the trick. That may give them a bit more than you are planning. I would look at the applications in use, which folders they are installed in, changes it makes while the app is in use, as well as possibly registry locations that they app may or may not be making changes in, and apply Modify (not FC) to those folders and registry settings for the app. To determine which registry settings are being changed, you can use something like ART (Adv Reg Tracer), to see what changes are being made.

It's a little involved with a GPO, but it's totally possible. I have one client that I restrict everything. For their apps, which in this case their apps don't require registry mods, I simply give them Modfiy on the apps' folders, and they're good to go. They can't install anything, no ActiveX objects, nor can they access C: drive.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org
http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Previous Topic:Phantom AD group called $UJ5000-I64JO6IO1K6I ????
Next Topic:gpo w2k8 for xp sp3
Goto Forum:
  


Current Time: Fri Oct 20 10:03:04 EDT 2017

Total time taken to generate the page: 0.03014 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software