Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Do I Severly Resrtict Users' Permissions?


  • Please log in to reply
9 replies to this topic

#1 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:06 PM

Posted 21 September 2006 - 02:13 AM

As part of my job, I administer a small computer lab for the use of people doing job searches and resumes, etc. I have four computers, three Compaq Deskpro's running Windows 2000 Pro SP4 and the remaining computer, a Dell Optiplex 170L, running XP Pro SP2.

I spend a great deal of time changing minor settings back to what I want them (and my boss expects them) to be. Little things like the wallpaper (it should be a stylized version of the organization's logo) being changed to humorous and sometimes inappropriate images, changing the default home page to Yahoo, Google, or pages that are completely inappropriate instead of the special page I created specifically for that purpose (which, among other things admonishes users NOT to change settings), the odd IE toolbar, and even deleting the printer (thereafter coming to me and complaining that the printer is "broken" :thumbsup: ). You get the idea. One user was even able to uninstall the antivirus software, though I have no idea how.

All the users need to be able to do is use the internet, MS Word, and several programs that are already installed (like a typing tutor, resume wizard, etc). Anything beyond that and I want a nice big "Access Denied, stop doing that, buster!" box to come up. If possible, I even want to prevent them from saving files to the hard drive (we give them floppies for free for that purpose).

Anyone have any ideas? Built in Windows options? Free or very cheap program (I have no budget whatsoever :huh: ).

Sorry about the ranting, but you'd think people who are looking for a job wouldn't have so much time to be screwing around with my computers!

Edited by Amazing Andrew, 21 September 2006 - 02:14 AM.


BC AdBot (Login to Remove)

 


#2 Gyro

Gyro

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 21 September 2006 - 10:18 AM

well virusus can do it I don't see why we can't.... well i'm thinking, under folder properties there should be shared permissions... if you are able to use this strategically you can make it so they don't have the ability to change most of the objects... I believe there is a similar printer control... If you share certain things, try to make others off limits... i'll look it up for you and get back in a little

#3 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:09:06 PM

Posted 21 September 2006 - 12:19 PM

Here is a link I used to lock down my computers from my kids. If you block the Run and control Panel you should eliminate some of your problems. Also restrict the ability to install programs thru Permissions. Also like others have suggested padlock the case so that modifing the BIOS is more difficult, and moving the boot order to HD only.

Edited by acklan, 21 September 2006 - 12:19 PM.

"2007 & 2008 Windows Shell/User Award"

#4 Joshuacat

Joshuacat

    01001010 01000011


  • Members
  • 1,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ontario, Canada
  • Local time:11:06 PM

Posted 21 September 2006 - 03:49 PM

Hi, Amazing Andrew: Is this part of a bigger network that uses a Microsoft server?(2003 etc.) You could use group policies to restrict access. It takes a great deal of planning and knowledge to get everything the way that you want it. Using a 3rd party tool like Acklan suggests may be a better option if you don't have the time, or knowledge, for learning and implementing group policies. Before you start implementing any option, make sure you have a full backup of all of the computers in your lab in case of problems.

http://en.wikipedia.org/wiki/Group_Policy

Hope that helps,

Edited by Joshuacat, 21 September 2006 - 03:51 PM.

JC

#5 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:06 PM

Posted 21 September 2006 - 06:04 PM

Thanks for the suggestions, folks. No, it's not part of our office network nor the local domain (it's completely isolated from our office computers for the very reasons I was complaining about, even has it's own DSL line) it's on it's own little workgroup.

I like the idea of changing the boot order and will implement that in about 12 minutes.

Putting padlocks on the cases seems a bit extreme, methinks. First off, three of the four machines are Compaq Deskpro's which, as anyone who ever tried can tell you, a royal pain in the posterior to open. The Dell, though, is much different as it makes opening the case simple and quick. However, given that several people's offices look in to the lab, I don't think clients opening up the comps is really an issue.

#6 acklan

acklan

    Bleepin' cat's meow


  • Members
  • 8,529 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Baton Rouge, La.
  • Local time:09:06 PM

Posted 21 September 2006 - 08:05 PM

All it takes is one determined user to enter the case and either snatch the battery for a few seconds or remove the CMOS jumper. I went as far as JB Weld and a gate hasp to secure the case. If you have a spare puter use it to run a proxy server so you can further control access.Take a look at Squid Web Proxy. It may or may not help with your project.
"2007 & 2008 Windows Shell/User Award"

#7 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:10:06 PM

Posted 23 September 2006 - 09:30 AM

It has been a while since I used W2K but you should be able to limit what they can do by making them limited users.

Some of the following may help:

This article describes how to use the Windows 2000 Terminal Services Application Security tool. If you are an administrator, you can use this tool to limit user access to a specific list of programs. The Application Security tool is included as-is in the Windows 2000 Resource Kit.
http://support.microsoft.com/kb/320181/en-us

How to Protect Windows NT Desktops in Public Areas
APPLIES TO
• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional Edition
http://support.microsoft.com/kb/143164/en-us

HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000
http://support.microsoft.com/kb/323525/en-us

Windows 2000 Microsoft Management Console and Snap-in Restrictions
http://support.microsoft.com/kb/271135/en-us


How To Create Custom MMC Snap-in Tools Using Microsoft Management Console
http://support.microsoft.com/kb/230263/en-us


HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/kb/228496/en-us


HOW TO: Restrict Group Membership By Using Group Policy in Windows 2000
http://support.microsoft.com/kb/320045/en-us


Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301/en-us

Using Group Policy Objects to hide specified drives
http://support.microsoft.com/kb/231289/en-us

How to disable the use of USB storage devices
http://support.microsoft.com/kb/823732/en-us

How to set advanced settings in Internet Explorer by using Group Policy Objects
If the administrator does not want users to change the settings, the administrator can apply a restriction by using the Administrative templates in the GPO.
http://support.microsoft.com/kb/274846/en-us


How to Restrict the Shortcut and WinHelp Commands in HTML Help
http://support.microsoft.com/kb/810687/en-us

Edited by Enthusiast, 23 September 2006 - 09:31 AM.


#8 Guest_bg fun_*

Guest_bg fun_*

  • Guests
  • OFFLINE
  •  

Posted 17 November 2006 - 12:29 PM

...Or you can:

0.) format c:\
1.) Install WinXP SP2 fresh
2.) Install all the programs deemed necessary for the workstations
3.) Secure the computers using the suggestions already given here
4.) Go a few steps further and integrate something that comprehensively controls access, including port access. Registered Kerio Firewall software is a decent softcore solution, for example. BIOS passwords are always nice things with which one can at least temporarily annoy people who hack systems.
5.) Finally, use an application like DriveImage XML to make a copy of your WinXP Volume Shadow Copy whilst WinXP is running, back it up to a DVD-R or networked HDD, and spend around 10 minutes re-loading it back into your workstations if anyone ever manages to screw things up.

Fini. No more significant problems, other than Acts of $DEITY or EMP bursts in our skies. Have fun.

#9 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you

Posted 17 November 2006 - 02:54 PM

I solved the problem, sort of. We just replaced all the computers with new computers. Now the entire lab is running XP Pro SP2 (rather than a mix of XP Pro SP2 and 200 Pro SP4). I decided to try MS's Shared Computer Tool Kit which is really great. Still has some glitches, though.

#10 instingkt

instingkt

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:06 PM

Posted 15 December 2006 - 12:47 PM

If it's on an AD network, you can limit what users do with group policy. We do this with selected workstations at our organization (all the way down to disabling the ability to right-click). If it's not on an active directory network, you can always implement these with local policies and just ensure that the users are placed in the local users group and definitely not in the local administrators group.
.frank.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users