|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
11-25-2009, 02:55 AM
|
#1 |
|
just a tech
Join Date: Jul 2001
Location: central valley CA
Posts: 1,409
|
user security
I have setup a new domain controller on windows 2003, all workstations that I have joined to the domain are running XP pro
I would like to have a general user login that is locked down good, after doing some reading on group policy and profiles I see that there is not a simple way of doing this. is there anyway to just edit the built in domain user account? One of the main things I want to prevent users from doing, aside from installing software, is changing the desktop background, however it seems that firefox can do this somehow no matter what. If someone can point me in the best direction or way to proceed that would be most helpful (group plolicy, login script, etc...) Keep in mind that because of the anti-virus software simple file sharing is turned off. In the future I will probably be adding another domain to this network, and I dont want anyone on the current domain to have access to files shared for users on the 2nd domain |
|
|
|
11-25-2009, 01:57 PM
|
#2 |
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,385
|
If you make a new user/group, put it in an OU, and add a new group policy to the OU, you can lock down windows and IE pretty good.
Any 3rd-party software...you have to look around for ADM or group policy templates. Here's one for firefox...dunno how well it works, though as I have not used it: http://www.frontmotion.com/Firefox/
__________________
There are two secrets to staying young, being happy, and achieving success. You have to laugh and find humor every day, and you have to have a dream.
|
|
|
|
|
11-25-2009, 04:17 PM
|
#3 |
|
just a tech
Join Date: Jul 2001
Location: central valley CA
Posts: 1,409
|
Ok, that doesnt sound to bad, create an OU, create a new user/group and put it in the OU, then add a new group policy to the OU, and make the users a member of only that group, is that right? and after doing that if I move users to that OU will that same policy apply the next time the user logs off/on a workstation?
what about having a standard desktop for all computers/users (same icons and such) would that be done using a script? |
|
|
|
|
11-26-2009, 11:09 PM
|
#4 | |||
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,385
|
Quote:
 Quote:
If a group is in that OU, and a user is elsewhere but still a member of that group, the group policy will be enforced on that user. Quote:
Before copying, make sure you run CCleaner to get rid of temp files, log files, browser cache/history/cookies, MRU settings, any anything else you don't want to carry over to every user that logs in. There are also usually some installer files you may be able to get rid of manually in the "application data" and "local settings" folders (but, if you're not sure if it can be deleted, google it and/or leave it alone). If there isn't much in the way of data in the user profile, I can usually shrink an XP profile down to about 37MB-50MB. You want to keep the profile as small as possible because every time a new user logs in, the contents of Default get copied into that new user's profile folder. So, if you have a 300MB default profile...it will take a few minutes before the user actually reaches the desktop because of the time it takes for the data to copy into the new profile. Last edited by Force Flow; 11-26-2009 at 11:19 PM. Reason: additional info & clarifications |
|||
|
|
|
|
11-27-2009, 03:31 AM
|
#5 |
|
just a tech
Join Date: Jul 2001
Location: central valley CA
Posts: 1,409
|
If I could just pick your brain for a week at work that would be great
wouldnt happen to need a job for a week would you?  it could even be a work from home vpn thing... LOL jk This will help if I ever have enough time to create separate user accounts for students (yes I have been using one generic user account for all to logon with  ) What can I say, I'm the only IT person for an entire school district, I cant get away with this for much longer I requested DeepFreeze, would be perfect for these types of issues, but it wasnt in the budget. I have one last critical question. If I have 100 workstations on this domain, and the only people logging in are the ones I create in my new OU with my new group policy, none of which have admin rights (aside from me) and they dont always bother to log off, can I setup the domain controller to auto install critical windows updates without having to be hands on for every workstation? we will not even discuss my web content filter proxy server nightmares as it gives me a major headache 
|
|
|
|
|
11-27-2009, 09:14 AM
|
#6 | ||||||
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,385
|
Quote:
 Quote:
You can do bulk user management with various scripts and utilities. This one came up in google, which looked interesting, which looks like it can create a whole slew of generic users (labuser01, labuser02, etc): http://blog.scorpiotek.com/2008/06/0...ive-directory/ Quote:
Quote:
http://en.wikipedia.org/wiki/Windows_SteadyState I've done limited testing with steadystate, and it seems to work surprisingly well. There is an ADM available for active directory, so you can manage it through group policy. Quote:
Or, there are some group policy settings for windows update: http://support.microsoft.com/kb/328010 I'd just test to make sure the machine *actually* gets rebooted if there's no user intervention--it's not something I've tested myself. Also, I'm not sure if these settings would conflict with SteadyState or not, since SteadyState has its own built-in settings and functions that operate outside of the deepfreeze-like functionality. Quote:
I've heard good things about this content filter, but haven't had the chance to try it out myself: http://dansguardian.org/ And this firewall, if you're looking: http://www.smoothwall.org/ Although if you're not too familiar with linux, those two might not be for you. Last edited by Force Flow; 11-27-2009 at 09:18 AM. |
||||||
|
|
|
|
11-27-2009, 02:00 PM
|
#7 | |
|
just a tech
Join Date: Jul 2001
Location: central valley CA
Posts: 1,409
|
Quote:
OpenDNS pushes out their own advertisements, and I was afraid of giving up our very limited bandwidth. What I ended up going with was a hardware unit which works as a proxy server, but it is also a firewall, web filter, router, and a few other things, the price was cheaper then most anything else I could find, my biggest issue is, aside from working with a proxy server is a pain, every little change done to this unit requires it to be restarted, and yep thats right this drops everyones internet for a minute. This has become more of an issue because to my suprise complaints/issues were with sites and software being blocked or not working requiring troubleshooting type changes to the unit, well you see the problem, there support is pretty good though, and it has the ability to use domain login accounts and assign access accordingly, this way when the request to see what students have been looking at on the internet (I know it's coming) I can just make a report of any account and show every site pulled up. product is called 'SecureSchool' in case your wondering Things would be much worse if I had to deal with staff running through it, but I only had to deal with students so far, I dont think they realize their request of having 4 buildings with both student and staff computers, and 2 internet source's, and they wanted students on the one, and staff on the other.  Anyway, sorry for the venting, I really cant express enough thanks for you guys here at pcmech for the help and information I get. Time and time again you guys save my butt, this is truly a site that has no equal, no longer is it giving me advise on which video card is better for my gaming rig, it has become a tool I use to do my job, this being in the area of education, located in California which is having major issue's because of budget, schools not getting what they need shutting down. The help I get here is helping students in one district have some of what they need while getting an education. Really, no bs Thanks! |
|
|
|
|
|
11-27-2009, 03:20 PM
|
#8 | ||||
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,385
|
Quote:
Course, I block most ads with a hosts file, so if there are actually advertisements, that list might nuke them. That's another thing I considered toying with for a little while...deploying hosts file blocklists to the workstations to kill malware domains and annoying advertisements (especially bandwidth suckers). There was a good deployment script here that I was going to use: http://www.mvps.org/winhelp2002/hosts.htm Additionally, to save a little on bandwidth, you might want to think about a DNS server that handles all DNS requests, but I'm thinking your hardware proxy might be handling that. Quote:
Quote:
Quote:
Also, while I'm thinking about it...see if you can contact some of the area companies and ask if they have any older but usable tech stuff they're willing to donate...if you work in a public school district, the companies might be able to get a tax write-off. Granted, I'd rather have a set of homogeneous equipment to make deployment and maintenance easier, but having something is better than nothing at all. |
||||
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
