Ask the Expert

Creating a system policy to lock down all users except administrator

Brief: I am building a 'Master' Windows 2000 Pro machine to be imaged for distribution to around 25 machines in an education environment. The cloned machines will be connecting to a NT4 server on a domain. I am having difficulty locking down the machines for all users except the administrator (it's easy to lockdown all users including administrator).

Basically, I want to create a Win2k policy file and ensure it applies to all users of a computer except the administrator. Authentication will be provided by the NT4 DC. Local user profiles will be deleted on shutdown/startup, and roaming profiles are not going to be used.

Any assistance would be greatly appreciated.

    Requires Free Membership to View

The problem with NT 4.0 System Policies is that they change the operation of the machine on a more permanent basis then we administrators usually intend. So, say a domain user named Joe logs in to the machine. He has a very restrictive policy. The policy generally changes a bunch of registry options to lock down the machine. Now, Joe logs off. The settings imprinted in the registry (or tatooed as some MS literature says) are not removed when Joe logs out. Now the administrator logs in. Generally, you have made it so that the Administrator does not have a policy applied, figuring he will have free reign of the machine. Nope. You have to specifically great a system policy that counteracts each change your forced in Joe?s more restrictive policy. This will alter the registry settings back allowing the Administrator account access. Thankfully Windows 2000 Group Policies (created in Active Directory ) do NOT work this way.

This was first published in June 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: