The Windows Security dialog box is the window that appears when the CTRL-ALT-DEL key sequence is pressed on a domain client when a user is logged on. This dialog box displays various details about the current logon session (current user account, time, and date) and offers several command buttons. Depending on the security policy of your organization, you may not want to grant end users access to all of the capabilities this dialog box presents.
Fortunately, Active Directory Group Policy Objects can be used to control which of these command buttons are active and which are disabled. With a bit of planning, you can customize various command button configurations for specific users or groups. The settings that control the command buttons on the Windows Security dialog box are located in the User Configuration section of a GPO under Administrative Templates, System, Ctrl-Alt-Del Options.
The command buttons include the Task Manager, Lock Computer, Change Password, Logoff, Shut Down, and Cancel. There are GPO controls for the first four of these command buttons. To control whether users can shut down a system, manage the "Shut down the system" user right in the User Rights policy of the Computer Configuration section of a GPO.
The Task Manager button is used to open or launch the Task Manager. The Remove Task Manager GPO control disables this button and prevents the Task Manager from being launched by any means. Any attempt by a user to launch the Task
The Lock Computer button is used to lock a computer so a user can walk away from their desktop without logging out or violating security policy. The problem is that only the specific person who locked a computer can unlock it. Thus, this can be a problem if a user is away from his desk and an administrator needs access to the system. The Remove Lock Computer GPO control disables the lock computer feature.
Users change their passwords using the Change Password button. But some security policies dictate that passwords should not be changed at will but only at designated time intervals. The Remove Change Password GPO control disables this button and forces users to wait until the system prompts them to change their password based on the maximum password age control in the Password policy.
The Logoff button is used to log the current users off so another user can log on. You should disable the logoff button on systems that are restricted to a single dedicated user account, such as a kiosk or a dedicate security station. The Remove Logoff GPO control disables this button and prevents all means of logging off the current user.
Remember that multiple GPOs can be assigned to each AD container. Within each AD container multiple GPOs have an application priority order. The last GPO to be applied takes precedent. Each assigned GPO has security permissions associated with it. By disabling the ability to read a GPO to a specific user or group, you effectively prevent that GPO from being applied to them.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.
This was first published in October 2002