3aFaReeT Posted October 20, 2011 Share Posted October 20, 2011 (edited) Dear All, We've quite good number of Windows XP PCs that are running in a workgroup due to some legacy software requirements. I need to restrict Access to certain things such as Control Panel My Computer (Explorer) IE CDRom etc... I remember using these kind of software long time back but I can't recall their names. Can any one help me out I know this can be done via either a registry change or gpedit... but since there are lots of PCs I'll prefer a software to do so Kindly help NOTE: I need a free software if possible Regards... Basim Edited October 20, 2011 by 3aFaReeT Link to comment Share on other sites More sharing options...
0 Wolfbane Posted October 20, 2011 Share Posted October 20, 2011 Just run a script on every computer to automate the registry changes? Should be simpler and faster than any software. Link to comment Share on other sites More sharing options...
0 3aFaReeT Posted October 20, 2011 Author Share Posted October 20, 2011 Could you recommend me a script cause I"m weak in these stuff of you may create one for me :) Link to comment Share on other sites More sharing options...
0 Midge Posted October 20, 2011 Share Posted October 20, 2011 Could you recommend me a script cause I"m weak in these stuff of you may create one for me :) google it, its easy Link to comment Share on other sites More sharing options...
0 3aFaReeT Posted October 20, 2011 Author Share Posted October 20, 2011 guys... can anyone help me out with a correct script Link to comment Share on other sites More sharing options...
0 +BudMan MVC Posted October 20, 2011 MVC Share Posted October 20, 2011 Why don't you just move to AD vs a workgroup, then you can set group policy that all machines will get and you can lock down the machines as you want with a few clicks. No software to install, no scripts to run on each machine, etc. If you were more specific on exactly how you want to lock it down, could point you to the exact settings you need to make. And could put together the script or .reg file to make the settings for you. For example you don't want any access to Explorer at all? Keep in mind they could most likely just run cmd and get access to files, or many software programs file dialogs could be used to circumvent this type of lock down. If you don't want them to use the Cdrom -- ie boot from, access while logged in - what exactly, you can turn off the cdrom in bios as extreme method of preventing access to it. As to control panel - do you want to prevent specific changes they make in CP, or just not let them run it at all? Link to comment Share on other sites More sharing options...
0 sc302 Veteran Posted October 20, 2011 Veteran Share Posted October 20, 2011 yes please give specifics, most of what you want can be done with local group policies, but domain group policies would be better as they can be user specific (user a is locked, user b is unlocked, user c has some user a restrictions but has some other user b unrestricted access...etc)....basically it is built into windows, and being that you are running windows xp you can use steady state. http://download.cnet...4-11127965.html http://www.microsoft...ls.aspx?id=4310 for windows 7 to replicate steady state features (this is a very good read for sys admins): http://www.microsoft...s.aspx?id=24373 Link to comment Share on other sites More sharing options...
0 3aFaReeT Posted October 20, 2011 Author Share Posted October 20, 2011 Dear all, thanks for you reply. I can't join these PCs to domain since they are running legacy application. these PCs are computer name dependent and are there across all the 84 branches. for example: in each branch the PC names MUST start with this sequence WS01 WS02 and so on if I join PCs to our central domain I wont be able to repeat the same names in the other branch which will make the application fail. I can't create a domain/child domain for each and every branch which would create a very complex setup this branch application requires the user to have administrative privileges to run the application successfully therefore I'm looking to lock down the windows (XP) as much as possible in order to avoid users from messing around with it. you may suggest me better ways of doing it from my end i thought to lock of all common resources from them CDROM Floppy USB Storage devices My Computer CMD Control Panel RUN box and so on please suggest and I really highly appreciate the people who tried to support :) thanks Link to comment Share on other sites More sharing options...
0 James812 Posted October 20, 2011 Share Posted October 20, 2011 You could apply a local group policy to restrict these things. Then have the folder (%systemroot%\system32\GroupPolicy) that stores the group policy give the permission deny read for administrators group so it bypasses the group policy when an admin logs in. That works if you are running Windows XP Pro. Link to comment Share on other sites More sharing options...
0 sc302 Veteran Posted October 20, 2011 Veteran Share Posted October 20, 2011 Dear all, thanks for you reply. I can't join these PCs to domain since they are running legacy application. these PCs are computer name dependent and are there across all the 84 branches. for example: in each branch the PC names MUST start with this sequence WS01 WS02 and so on if I join PCs to our central domain I wont be able to repeat the same names in the other branch which will make the application fail. I can't create a domain/child domain for each and every branch which would create a very complex setup this branch application requires the user to have administrative privileges to run the application successfully therefore I'm looking to lock down the windows (XP) as much as possible in order to avoid users from messing around with it. you may suggest me better ways of doing it from my end i thought to lock of all common resources from them CDROM Floppy USB Storage devices My Computer CMD Control Panel RUN box and so on please suggest and I really highly appreciate the people who tried to support :) thanks did you even look at windows steady state.....you can lock down the harddrive so that users can't make changes, you can pretty much make it idiot proof. there is your free suggestion that will do what you want. it is not recommended to use steady state in a active directory environment. Link to comment Share on other sites More sharing options...
0 +BudMan MVC Posted October 21, 2011 MVC Share Posted October 21, 2011 "this branch application requires the user to have administrative privileges to run the application successfully" Sorry if I have local admin there is NOTHING you can do to the box that I can not undo.. You could prevent access to cdrom/usb etc in the bios and set a password which local admin does not have control over. And sorry, there is not such thing as an application that requires Local Admin -- just work through what its doing and give that user the permissions the application needs, be registry keys, specific folders, etc. Giving users local admin to run an application is a shortcut to doing it correctly! Other than that yea something like steady state would be your only option, but if the user has local admin there is prob a way to around its limitation. Steady State was designed more for public access type machines where user does not have local admin on the machine. But I really would suggest you look into AD vs workgroups!!! As to domains, how would 84 domains be complex in a forest?? The limit of 2003 is like 1200 domains in the forest. I would say having to deal with workgroups would make the job much harder than having an Active directory to control users and computers with. Sharing resources between locations is no secure and easy because you have 1 central userbase of resource accounts, be it users or computers. You say the application uses ws01 and ws02, etc.. So?? Why can you not use ws01 through ws25 in location 1, and ws26 to ws50 in location 2, ws51 to ws75 in next, etc. etc.? Link to comment Share on other sites More sharing options...
0 sc302 Veteran Posted October 21, 2011 Veteran Share Posted October 21, 2011 there is nothing free that would allow to lock down a local admin. There are pay for tools. http://www.horizonda...om/175608.ihtml Technically though, in many cases with software like this and they have admin access they can boot into safe mode and disable the dll's and whatnot from running. The only other thing you can do is put on a software like an enterprise install of deepfreeze, the only way to unlock it is either by admin console or by a randomly generated token code this gets loaded at the windows bootloader level and requires a reboot to "thaw" to allow changes to be made or updates to be done. Link to comment Share on other sites More sharing options...
0 ndoggfromhell Posted October 21, 2011 Share Posted October 21, 2011 We lock down the user. Make them a power users, then change the shortcut to the application they need to use and append it with "runas" and set it to save credentials. Run once, put in the admin password... voila. Success! Link to comment Share on other sites More sharing options...
0 +BudMan MVC Posted October 21, 2011 MVC Share Posted October 21, 2011 ^ not really the proper way either, but its better than giving the user local admin. And takes 2 seconds to do, where tracking down the permissions some applications need and setting them correctly could take a bit. Its a suitable solution for crap software that was not written correctly. Link to comment Share on other sites More sharing options...
Question
3aFaReeT
Dear All,
We've quite good number of Windows XP PCs that are running in a workgroup due to some legacy software requirements.
I need to restrict Access to certain things such as
Control Panel
My Computer (Explorer)
IE
CDRom
etc...
I remember using these kind of software long time back but I can't recall their names.
Can any one help me out
I know this can be done via either a registry change or gpedit... but since there are lots of PCs I'll prefer a software to do so
Kindly help
NOTE:
I need a free software if possible
Regards...
Basim
Edited by 3aFaReeTLink to comment
Share on other sites
13 answers to this question
Recommended Posts