Peter Clark
December 5th 03, 07:45 PM
investigate software restriction policies:
(from brief notes of mine)
start -> settings -> control panel -> administrative tools
-> Local Security Policy
or secpol.msc
security settings\software restriction policies\security levels
security settings\software restriction policies\additional
rules
make sure you add the following new hash rules!!
userinit.exe (VERY %$=A3^*& CRITICAL IF YOU WANT TO LOGON)
explorer.exe (SOMETIMES A SHELL IS REALLY NICE TO HAVE)
add addition programs that you want a user to be allowed to run
change the enforcement option to apply software
restrictions to all users except local administrators.
if you do lock yourself out you can reboot into safe mode,
logon as an administrator
and change the policy (run gpupdate /force - it will fail,
but it will update on reboot)
else reboot and attempt to logon twice.
you may also want to look at group policy - and the
restrictrun option.
>-----Original Message-----
>I currently run a Small Business 2000 Server network with=20
>Windows XP workstations.
>I currently have a legacy system that requires each user=20
>to be a part of the local Power Users Group for proper use.
>
>I do not want my users to be able to install any type of=20
>software on the local machine.
>How can I remove that right from the Power Users group???
>
>Help community...
>
>Sebastien
(from brief notes of mine)
start -> settings -> control panel -> administrative tools
-> Local Security Policy
or secpol.msc
security settings\software restriction policies\security levels
security settings\software restriction policies\additional
rules
make sure you add the following new hash rules!!
userinit.exe (VERY %$=A3^*& CRITICAL IF YOU WANT TO LOGON)
explorer.exe (SOMETIMES A SHELL IS REALLY NICE TO HAVE)
add addition programs that you want a user to be allowed to run
change the enforcement option to apply software
restrictions to all users except local administrators.
if you do lock yourself out you can reboot into safe mode,
logon as an administrator
and change the policy (run gpupdate /force - it will fail,
but it will update on reboot)
else reboot and attempt to logon twice.
you may also want to look at group policy - and the
restrictrun option.
>-----Original Message-----
>I currently run a Small Business 2000 Server network with=20
>Windows XP workstations.
>I currently have a legacy system that requires each user=20
>to be a part of the local Power Users Group for proper use.
>
>I do not want my users to be able to install any type of=20
>software on the local machine.
>How can I remove that right from the Power Users group???
>
>Help community...
>
>Sebastien