July 14, 2024
SHARE this post!

One of the great tools that an admin of an active directory network has is the ability to limit Windows clients using group policies. If you are working on a network where there is no way to lock down client machines but you would still like to then you can do the same thing using local policies on the windows box. There are a multitude of reasons that you would want to do this but the single best reason is to make sure that the network or even the computer stays secure by limiting what the user can do on the machine. The real upside for an administrator of these clients is that there are less problems and less support needed to keep the machine running in tip top shape.

First of all the best thing to do is to limit the machine using an autologon using a network or even local account and then using tweakui from Microsoft to add the registry entries to have it successfully logon. This in itself does not lock anything down but at least the machine, barring someone holding down the shift key at startup, stopping the users from having to logon. You will not apply this yet bout just make sure that you are using two accounts to do this work, you want an admin account for setting the policies and you want a user account that you will apply the policies to.

The policies are kept and applied using the C:\WINDOWS\system32\GroupPolicy folder so using NTFS permissions you will be allowing the user to get this policy and you will at the same time be denying the policy to your admin account so that it will not lock you out of the operation of setting the local machine policies. You will notice fairly quickly that the policies are broken up in this way so that you can control computer wide settings as well as user type settings and although there may seem to be an overlap there is in fact not much. The mavigation through this policy editor is in reality very easy and it is the settings that you have to think about the effect of.

The next step is to go into the group policy editor itself and this can be found by running gpedit.msc at a command prompt and then marveling at the opportunity that is in front of you. Using the Computer Configuration or the User Configuration you can o down to the Administrative Templates and set all sorts of allows or denies but in the first place you must make sure that you turn off background processing of the group policy. Stopping Background Group policy refresh means that the policy will not be applied until the next reboot and so again you will not get locked out by your own handiwork you can find the background refresh at Computer Configuration\Administrative Templates\System\Group Policy. Enable the first one by double clicking on Turn of background refresh of group policy and selecting enable and OK. Now close the window and reboot and relog in as the administrator.

From this point on what you want to be very careful that you make sure that you do is to log on to the machine as the administrator, go to the group policy folder and allow it for the administrator and then go into the gpedit.msc and make whatever changes you want and after applying the changes go and again deny access to the administrator. These actions will make sure that you do not lock yourself out afterwards but still allows you to make those changes as you need. What I have always done as a safeguard for my own human error is to get another local account that I always deny to the group policy folder, then if needed I can log on as that user, take ownership of the folder and give myself full control to fix what I broke for the administrator

Go through all of the policies before applying any and just take a look at some of the good things that you can do to lock out features. In the past I have created kiosk type machines by locking off right click, programs, installation of programs, control panel, display properties, and even access to the c: drive at all.

Using the group policy is a great way to lock down machines and help lower the cost of supporting machines, especially ones that are hard to get to in a timely fashion. Used correctly there are 100’s of settings that you can control and the granularity of the lockdowns are a great tool in almost any environment.