Q

Preventing users from deactivating the Device Lock features

I am aware that a user should be assigned to relevant user groups like 'Authenticated Users' and so on. However, we have some legacy vendor applications that require administrative rights. For selected desktops, we installed the Device Lock software to prevent user access to removable devices like floppy drive. The problem is that a user belonging to the administrative group can stop the service locking the removable device and even install the Device Lock Manager to deactivate the device locking.

So far, I think the possible solutions to this problem are:
- Provide a limited user desktop by using system policy (WinNT) and LGPO (Win2000).
- Only allow icons to run apps.
- Restrict START/RUN.
- Disable the Command prompt.
- Disable File/Windows Explorer.
- Limit the Control Panel with no access to 'services'.

Is there anything else I can do to prevent the users from deactivating the Device Lock features?

In general, Administrators on the box "own" the box, and can do, well -- anything. To that end, why not pop these users into the Power Users group instead? Many, many legacy applications will run properly for users contained with Power Users. Give that a shot -- before going through all the hoops you've laid out.
This was first published in January 2004

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close