Creating a system policy to lock down all users except administrator
Brief: I am building a 'Master' Windows 2000 Pro machine to be imaged for distribution to around 25 machines in an education environment. The cloned machines will be connecting to a NT4 server on a domain. I am having difficulty locking down the machines for all users except the administrator (it's easy to lockdown all users including administrator).
Basically, I want to create a Win2k policy file and ensure it applies to all users of a computer except the administrator. Authentication will be provided by the NT4 DC. Local user profiles will be deleted on shutdown/startup, and roaming profiles are not going to be used.
Any assistance would be greatly appreciated.
The problem with NT 4.0 System Policies is that they change the operation of the machine on a more permanent basis then we administrators usually intend. So, say a domain user named Joe logs in to the machine. He has a very restrictive policy. The policy generally changes a bunch of registry options to lock down the machine. Now, Joe logs off. The settings imprinted in the registry (or tatooed as some MS literature says) are not removed when Joe logs out. Now the administrator logs in. Generally, you have made it so that the Administrator does not have a policy applied, figuring he will have free reign of the machine. Nope. You have to specifically great a system policy that counteracts each change your forced in Joe?s more restrictive policy. This will alter the registry settings back allowing the Administrator account access. Thankfully Windows 2000 Group Policies (created in Active Directory ) do NOT work this way.
This was first published in June 2002