domain configuration

25 pts.
Domain management
Group Policy
Microsoft Management Console
Recently I have joined in a company as a system administrator. Now I have to configure a Domain where the users will not get any permission to change their desktop settings and also will not be allowed to add/remove any program. How do I implement this through Group Policy? Give me the detailed steps. And also how do I implement Microsoft management console?

Answer Wiki

Thanks. We'll let you know when a new response is added.

will your users be using roaming profiles? if so you can create a user and setup the desktop exactly the way that you want it. Then copy that user’s profile to a share on the network and make it read-only. Then point each user’s account to that profile for their roaming profile. they will be able to move and change things but when they logon again it will be right back the way it started.

If the users are not added to any local or domain administrator groups then they will not be able to add or remove any programs by default. there is the problem of portable apps though. These are apps that don’t have an install. They just run from the directory that they are in. To stop users from running that you would need to look deeper into software restriction policies and application whitelisting so that they will not be able to run anything except the applications that you approve.

If you run into poorly written apps that require admin rights to run the app then use a program called regmon. Start this program and then open the program that requires admin access. The regmon program will show you exactly which registry settings this program is accessing. Then you can give that user group access to those specific registry keys so they will not require admin access to do it. You will also need a program called filemon. This program will allow you to see what files the program accesses during operation so that you can give the user group proper access to those as well.

when you create the profile, after you are done, change the profile to a mandatory profile by renaming the profile. Instead of ntuser.dat, you will have Mandatory profiles allow session changes but nothing is saved after the user logs off.

MMC is available simply by typing mmc at the run line. Click file|add/remove snapin to build consoles, save when done.

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: