29-12-2010, 09:53 PM
[Part 3] Creating a domain: Windows Server 2003 Group Policy
This is step three in Setting up and configuring Windows Server 2003. For these series of tutorials we are using Windows Server 2003 R2, Enterprise edition x86.
Part one: http://mcompute.co.uk/showthread.php?tid=689
Part two: http://mcompute.co.uk/showthread.php?tid=700
In step three we are
Background knowledge and understanding
Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.
Further reading: http://en.wikipedia.org/wiki/Group_Policy
Steps
We're going to be creating a new group policy for a given group which we're then going to lock down.
1) Start > All Programs > Administrative tools > Active Directory Users and Computers
2) Right click the Organizational unit that you created then click Properties.
Under the Group Policy tab, click New.
3) To edit, enabled or disabled group poilcy objects click the edit button and it'll bring up a new window.
This is where the magic happens, become familiar with your new home.
4) For now, i'm going to make a list and explain the initial changes that i have made regarding my group policy.
I'm not going to print screen every single one because once you've done one, you can do as many as you want - it's the same process.
Note: You can click on the "Explain" tab for detailed information on what you're doing.
Enable the following settings
1) User Configuration > Administrative Templates > Windows Components > Windows Explorer
a) Remove Map Network Drive and Disconnect Network Drive
Prevents users from using Windows Explorer or My Network Places to map or disconnect network drives.
b) Hide these specified drives in My Computer (I enabled for C only)
Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.
c) Prevent access to drives from My Computer
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
2) User Configuration > Administrative Templates > Windows Components > Internet Explorer
a) Disable changing home page settings
Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.
3) User Configuration > Administrative Templates > Start Menu and Taskbar
a) Remove Search menu from Start Menu
Removes the Search item from the Start menu, and disables some Windows Explorer search elements.
b) Remove Help menu from Start Menu
Removes the Help command from the Start menu.
c) Remove Run menu from Start Menu
Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
d) Lock the Taskbar
If you enable this setting, it prevents the user from moving or resizing the taskbar.
4) User Configuration > Administrative Templates > Control Panel
a) Prohibit access to the Control Panel
This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items.
5) User Configuration > Administrative Templates > Control Panel > Display
a) Prevent changing wallpaper
Prevents users from adding or changing the background design of the desktop.
6) User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
a) Remove Task Manager
Prevents users from starting Task Manager (Taskmgr.exe)
7) User Configuration > Administrative Templates > Control Panel > Desktop
a) Prohibit user from changing My Documents path
Prevents users from changing the path to the My Documents folder.
8) User Configuration > Administrative Templates > Control Panel > System
a) Prevent access to the command prompt
Disable the command prompt script processing also? No
Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.
b) Prevent access to the registry editing tools
Disable regedit from running silently? Yes
Disables the Windows registry editor Regedit.exe.
Restart your client computer, and log back in. Good luck doing anything!
Part 1 of the tutorial: http://mcompute.co.uk/showthread.php?tid=689
Part 2 of the tutorial: http://mcompute.co.uk/showthread.php?tid=700
This is step three in Setting up and configuring Windows Server 2003. For these series of tutorials we are using Windows Server 2003 R2, Enterprise edition x86.
Part one: http://mcompute.co.uk/showthread.php?tid=689
Part two: http://mcompute.co.uk/showthread.php?tid=700
In step three we are
- Creating a new Group Policy for our Managers group
- Enabling several group policy objects
Background knowledge and understanding
Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.
Further reading: http://en.wikipedia.org/wiki/Group_Policy
Steps
We're going to be creating a new group policy for a given group which we're then going to lock down.
1) Start > All Programs > Administrative tools > Active Directory Users and Computers
2) Right click the Organizational unit that you created then click Properties.
Under the Group Policy tab, click New.
3) To edit, enabled or disabled group poilcy objects click the edit button and it'll bring up a new window.
This is where the magic happens, become familiar with your new home.
4) For now, i'm going to make a list and explain the initial changes that i have made regarding my group policy.
I'm not going to print screen every single one because once you've done one, you can do as many as you want - it's the same process.
Note: You can click on the "Explain" tab for detailed information on what you're doing.
Enable the following settings
1) User Configuration > Administrative Templates > Windows Components > Windows Explorer
a) Remove Map Network Drive and Disconnect Network Drive
Prevents users from using Windows Explorer or My Network Places to map or disconnect network drives.
b) Hide these specified drives in My Computer (I enabled for C only)
Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.
c) Prevent access to drives from My Computer
If you enable this setting, users can browse the directory structure of the selected drives in My Computer or Windows Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
2) User Configuration > Administrative Templates > Windows Components > Internet Explorer
a) Disable changing home page settings
Prevents users from changing the home page of the browser. The home page is the first page that appears when users start the browser.
3) User Configuration > Administrative Templates > Start Menu and Taskbar
a) Remove Search menu from Start Menu
Removes the Search item from the Start menu, and disables some Windows Explorer search elements.
b) Remove Help menu from Start Menu
Removes the Help command from the Start menu.
c) Remove Run menu from Start Menu
Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
d) Lock the Taskbar
If you enable this setting, it prevents the user from moving or resizing the taskbar.
4) User Configuration > Administrative Templates > Control Panel
a) Prohibit access to the Control Panel
This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items.
5) User Configuration > Administrative Templates > Control Panel > Display
a) Prevent changing wallpaper
Prevents users from adding or changing the background design of the desktop.
6) User Configuration > Administrative Templates > System > Ctrl+Alt+Del Options
a) Remove Task Manager
Prevents users from starting Task Manager (Taskmgr.exe)
7) User Configuration > Administrative Templates > Control Panel > Desktop
a) Prohibit user from changing My Documents path
Prevents users from changing the path to the My Documents folder.
8) User Configuration > Administrative Templates > Control Panel > System
a) Prevent access to the command prompt
Disable the command prompt script processing also? No
Prevents users from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the computer.
b) Prevent access to the registry editing tools
Disable regedit from running silently? Yes
Disables the Windows registry editor Regedit.exe.
Restart your client computer, and log back in. Good luck doing anything!
Part 1 of the tutorial: http://mcompute.co.uk/showthread.php?tid=689
Part 2 of the tutorial: http://mcompute.co.uk/showthread.php?tid=700