Locking down computers with local group policies

SHARE this post!

One of the great tools that an admin of an active directory network has is the ability to limit Windows clients using group policies. If you are working on a network where there is no way to lock down client machines but you would still like to then you can do the same thing using local policies on the windows box. There are a multitude of reasons that you would want to do this but the single best reason is to make sure that the network or even the computer stays secure by limiting what the user can do on the machine. The real upside for an administrator of these clients is that there are less problems and less support needed to keep the machine running in tip top shape.

First of all the best thing to do is to limit the machine using an autologon using a network or even local account and then using tweakui from Microsoft to add the registry entries to have it successfully logon. This in itself does not lock anything down but at least the machine, barring someone holding down the shift key at startup, stopping the users from having to logon. You will not apply this yet bout just make sure that you are using two accounts to do this work, you want an admin account for setting the policies and you want a user account that you will apply the policies to.

The policies are kept and applied using the C:\WINDOWS\system32\GroupPolicy folder so using NTFS permissions you will be allowing the user to get this policy and you will at the same time be denying the policy to your admin account so that it will not lock you out of the operation of setting the local machine policies. You will notice fairly quickly that the policies are broken up in this way so that you can control computer wide settings as well as user type settings and although there may seem to be an overlap there is in fact not much. The mavigation through this policy editor is in reality very easy and it is the settings that you have to think about the effect of.

The next step is to go into the group policy editor itself and this can be found by running gpedit.msc at a command prompt and then marveling at the opportunity that is in front of you. Using the Computer Configuration or the User Configuration you can o down to the Administrative Templates and set all sorts of allows or denies but in the first place you must make sure that you turn off background processing of the group policy. Stopping Background Group policy refresh means that the policy will not be applied until the next reboot and so again you will not get locked out by your own handiwork you can find the background refresh at Computer Configuration\Administrative Templates\System\Group Policy. Enable the first one by double clicking on Turn of background refresh of group policy and selecting enable and OK. Now close the window and reboot and relog in as the administrator.

From this point on what you want to be very careful that you make sure that you do is to log on to the machine as the administrator, go to the group policy folder and allow it for the administrator and then go into the gpedit.msc and make whatever changes you want and after applying the changes go and again deny access to the administrator. These actions will make sure that you do not lock yourself out afterwards but still allows you to make those changes as you need. What I have always done as a safeguard for my own human error is to get another local account that I always deny to the group policy folder, then if needed I can log on as that user, take ownership of the folder and give myself full control to fix what I broke for the administrator

Go through all of the policies before applying any and just take a look at some of the good things that you can do to lock out features. In the past I have created kiosk type machines by locking off right click, programs, installation of programs, control panel, display properties, and even access to the c: drive at all.

Using the group policy is a great way to lock down machines and help lower the cost of supporting machines, especially ones that are hard to get to in a timely fashion. Used correctly there are 100’s of settings that you can control and the granularity of the lockdowns are a great tool in almost any environment.

16 thoughts on “Locking down computers with local group policies

  1. Hi there, just became aware of your blog through
    Google, and found that it’s really informative.
    I’m gonna watch out for brussels. I will appreciate if you continue this in future.
    A lot of people will be benefited from your writing.
    Cheers!

  2. I know this if off topic but I’m looking into starting my own weblog and was curious what all is needed to get setup?
    I’m assuming having a blog like yours would cost a pretty
    penny? I’m not very web savvy so I’m not 100% positive. Any tips or advice would be greatly appreciated.
    Many thanks

  3. We are a group of volunteers and starting a new scheme in our community.

    Your website offered us with valuable info to work on. You have done a formidable job and our whole
    community will be grateful to you.

  4. I’d like to thank you for the efforts you have put in writing this blog.

    I really hope to see the same high-grade content from you in the future as well.
    In truth, your creative writing abilities has inspired me to
    get my very own website now 😉

  5. Right here is the perfect website for everyone who would like
    to find out about this topic. You realize so much
    its almost hard to argue with you (not that I actually would want to…HaHa).
    You definitely put a brand new spin on a subject that has been discussed for ages.
    Wonderful stuff, just great!

  6. Hello! I could have sworn I’ve visited this blog before but after browsing through some of the posts I
    realized it’s new to me. Regardless, I’m certainly delighted I found it and I’ll
    be bookmarking it and checking back often!

  7. Hello there I am so excited I found your web site, I really found you by accident, while I was
    searching on Google for something else, Nonetheless I am here now
    and would just like to say many thanks for a marvelous post and
    a all round exciting blog (I also love the theme/design), I don’t
    have time to go through it all at the moment but I have bookmarked it and also added your RSS feeds, so when I have time I will be
    back to read more, Please do keep up the great b.

  8. Hi, I do believe this is a great site. I stumbledupon it ;
    ) I may return once again since i have bookmarked it.
    Money and freedom is the best way to change, may you be rich and continue to guide other people.

  9. Wow that was unusual. I just wrote an extremely long comment
    but after I clicked submit my comment didn’t show up. Grrrr…
    well I’m not writing all that over again. Anyways,
    just wanted to say great blog!

  10. Oh my goodness! Awesome article dude! Thank you so much, However I
    am having troubles with your RSS. I don’t understand the reason why I am unable to join it.
    Is there anybody else getting the same RSS problems? Anyone that knows the answer will you kindly respond?
    Thanx!!

  11. I don’t even know the way I finished up here, but I thought this submit used to
    be good. I don’t realize who you’re however certainly you are
    going to a famous blogger if you are not already.

    Cheers!

  12. Hello, Neat post. There’s an issue with your web site in web explorer, could test
    this? IE nonetheless is the market leader and a huge section of people will pass over your magnificent writing due to this problem.

Leave a Reply

Your email address will not be published.