Jump to content

[W2K3]Empty desktop

Guest PhilTheGap

By Guest PhilTheGap
in Windows 2003 Server

 Share

Recommended Posts

Guest PhilTheGap

Guest PhilTheGap

Posted
Posted

Hi there,

 

I need to constraint a user account on a W2K3 computer in order to:

- launch an app when this account is accessed via Terminal server/Citrix

- prevent the user to do something else: so the desktop must be empty, the

Start menu also, Ctrl-Alt-Suppr must be impossible...

 

This account will be a local server account. Is there security model for

that ? Is applying a GPO the best solution ?

 

Thanks for you help...

 

Philippe

  • Replies 8
  • Created
  • Last Reply

Popular Days

Popular Days

Guest lforbes

Guest lforbes

Posted
Posted

RE: [W2K3]Empty desktop

 

Hi,

 

I am assuming this server is not a Domain Controller? Is it part of a

Domain? I wouldn't setup a local server account. I would setup a domain

account and then restrict in those properties to allow the account to only

login to the server you want.

 

Restricting accounts in AD is easily done via Group Policy. However, you

cannot apply group policy to local accounts without directly affecting the

registry for all users which is not recommended. Also local policies are

overwritten by Group Policies anyway.

 

I would set the profile to Roaming Mandatory

(http://www.sd61.bc.ca/windows2000/Profiles.htm)

 

Then delete everything in the start menu and the desktop. Setup the profile

empty when you logon to create it.

 

Then use Group Policies to restrict users to access. There is a Group Policy

which will "hide all icons on desktop".

 

You could then setup a logon script or simply add it to the Startup folder

on the start menu to run the application that you want on logon..

 

I have this type of account for a web based library browsing system.

However, IE has the ability to set it in kiosk mode.

 

Cheers,

Lara

 

"PhilTheGap" wrote:

> Hi there,

>

> I need to constraint a user account on a W2K3 computer in order to:

> - launch an app when this account is accessed via Terminal server/Citrix

> - prevent the user to do something else: so the desktop must be empty, the

> Start menu also, Ctrl-Alt-Suppr must be impossible...

>

> This account will be a local server account. Is there security model for

> that ? Is applying a GPO the best solution ?

>

> Thanks for you help...

>

> Philippe

>

Guest PhilTheGap

Guest PhilTheGap

Posted
Posted

Re: [W2K3]Empty desktop

 

Hi Lara,

 

Yes I was not very precise...

"lforbes" <lforbes@discussions.microsoft.com> a écrit dans le message de

news:9B4412F1-915A-4A6B-9364-BE9128C80A0B@microsoft.com...

> Hi,

>

> I am assuming this server is not a Domain Controller? Is it part of a

> Domain?

It is not a Domain Controler, it is on a workgroup, not part of a Domain.

> I wouldn't setup a local server account. I would setup a domain

> account and then restrict in those properties to allow the account to only

> login to the server you want.

So there is only local accounts...

> Restricting accounts in AD is easily done via Group Policy. However, you

> cannot apply group policy to local accounts without directly affecting the

> registry for all users which is not recommended. Also local policies are

> overwritten by Group Policies anyway.

It is not an AD server.. So I think that a local policies should be ok.

> I would set the profile to Roaming Mandatory

> (http://www.sd61.bc.ca/windows2000/Profiles.htm)

I will have a look.

> Then delete everything in the start menu and the desktop. Setup the

> profile

> empty when you logon to create it.

>

> Then use Group Policies to restrict users to access. There is a Group

> Policy

> which will "hide all icons on desktop".

Now, I wonder whether GPO are available since this is not an AD server.

> You could then setup a logon script or simply add it to the Startup folder

> on the start menu to run the application that you want on logon..

Yes that's what I thought of.

> I have this type of account for a web based library browsing system.

> However, IE has the ability to set it in kiosk mode.

>

> Cheers,

> Lara

Thanks a lot...

 

Philippe

Guest PhilTheGap

Guest PhilTheGap

Posted
Posted

Re: [W2K3]Empty desktop

 

I could use the local policies with "secedit/gpedit.msc" but this would

apply to all users. There is a workaround to apply to all users but the

admin group, however as a matter of fact, my "special" account is precisely

an admin account...

 

So I guess the solution would be to make my computer an AD server and to use

a GPO on an OU containing my special account (and it would be a domain

account).

 

Does anybody agree ?

 

Philippe

Guest lforbes

Guest lforbes

Posted
Posted

Re: [W2K3]Empty desktop

 

Hi,

 

If your special account is an administrators account then they can undo

anything that you do to secure.

 

The thing with Admin accounts is they have total control. They have to be

trusted.

 

If you are going to make it an admin account then there is really no point

in trying to secure it. However if you want to the BEST way would be to hack

the profile itself and then make it mandatory.

 

Basically what group policy does is add registry keys to the profile to

enable the policies. If you hack the profile then it is possible to do it

just for that profile. This is similar to what Policy editor did in Windows

NT. (If you can find a copy of poledit.exe you can try that too).

 

All the registy paths are actually included in the system.adm file for group

policies located in the Administrative Templates section (which is most

security on the desktop)

 

I have XP and Vista workstations at home and have done this for my kids with

success.

 

1> Logon with the user account you want to secure. Go to taskbar properties

and hide everything you can in the menus and on the desktop. Unlock the

taskbar or autohide it.

2> Delete all the shortcuts on the desktop.

3> Move everything from All Users\Programs and All Users\Desktop to admin

profile so it doesn't show on this desktop.

4> Set the desktop picture to something you know the name of (you will use

this to find the key in the registry).

5> Logoff the user account.

6> Logon using another unrestricted admin account.

7> Load Registry Editor. Click on HKEY_USERS so it is highlighted. Go to

File and "Load Hive". Navigate to C:\Documents and Settings\accountname and

find the user.dat of the user account above that you wish to secure. Load

the hive. Call it 1 (very important to just call it 1 or the script won't

work)

8> Copy the below settings into Notepad and save into SecureSettings.reg.

9> While regedit is still open, double click the file and say "yes" to enter

it into the registry. Make SURE it confirms it was correct. Go to the

HKEY_USERS\1 and see if the settings are there.

10> You can make additional settings if you can find the settings you want

in the system.adm

11> Click on the folder 1 (that you added) and then go to File - Unload

Hive. VERY important step. The profile won't read if it is loaded in regedit

and it won't unload unless you unload it manually.

12> Logoff regular admin and logon with the user account to see if the

restrictions worked.

 

Now I have never edited a profile directly this way. What I usually do is

use the My Computer - Properties - Advanced - Profiles section to copy the

profile to another location (giving everyone full access), then load the

user.dat in regedit. I then copy the Contents of the profile (or just the

user.dat) back over top of the profile in the C:\Documents and Settings.

 

You can then change the user.dat to user.man. I have success with this at

the server level for roaming but I have never actually done it for local

profiles.

 

<snip>

 

Windows Registry Editor Version 5.00

 

[HKEY_USERS\1\Software\Policies\Microsoft\Internet Explorer]

 

[HKEY_USERS\1\Software\Policies\Microsoft\Internet Explorer\Restrictions]

"NoBrowserContextMenu"="1"

 

[HKEY_USERS\1\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoTrayContextMenu"="1"

"NoViewContextMenu"="1"

"NoChangeStartMenu"="1"

"{645FF040-5081-101B-9F08-00AA002F954E}"="1"

 

[HKEY_USERS\1\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]

"{645FF040-5081-101B-9F08-00AA002F954E}"=dword:00000001

 

<end snip>

 

Cheers,

Lara

 

 

 

 

 

 

"PhilTheGap" wrote:

> I could use the local policies with "secedit/gpedit.msc" but this would

> apply to all users. There is a workaround to apply to all users but the

> admin group, however as a matter of fact, my "special" account is precisely

> an admin account...

>

> So I guess the solution would be to make my computer an AD server and to use

> a GPO on an OU containing my special account (and it would be a domain

> account).

>

> Does anybody agree ?

>

> Philippe

>

Guest PhilTheGap

Guest PhilTheGap

Posted
Posted

Re: [W2K3]Empty desktop

 

 

"lforbes" <lforbes@discussions.microsoft.com> a écrit dans le message de

news:35EF4F72-D03D-4098-8F2B-16DB911FF4D8@microsoft.com...

> Hi,

>

> If your special account is an administrators account then they can undo

> anything that you do to secure.

Yes if they are aware that they have admin privileges and if they know how

to use them, which is difficult when the desktop is empty and no menu is

available By the way, with no IHM access to admin acommands, how can you

undo something ?

>

> The thing with Admin accounts is they have total control. They have to be

> trusted.

>

> If you are going to make it an admin account then there is really no point

> in trying to secure it. However if you want to the BEST way would be to

> hack

> the profile itself and then make it mandatory.

The point is that to use the only proram they have to run, my users have to

be admin. But they don't know they are admin.

>

> Basically what group policy does is add registry keys to the profile to

> enable the policies. If you hack the profile then it is possible to do it

> just for that profile. This is similar to what Policy editor did in

> Windows

> NT. (If you can find a copy of poledit.exe you can try that too).

Yes, good point.

> All the registy paths are actually included in the system.adm file for

> group

> policies located in the Administrative Templates section (which is most

> security on the desktop)

>

> I have XP and Vista workstations at home and have done this for my kids

> with

> success.

In that case, you can apply a local policy for all users except those who

belong to the admin group...

> 1> Logon with the user account you want to secure. Go to taskbar

> properties

> and hide everything you can in the menus and on the desktop. Unlock the

> taskbar or autohide it.

> 2> Delete all the shortcuts on the desktop.

> 3> Move everything from All Users\Programs and All Users\Desktop to admin

> profile so it doesn't show on this desktop.

> 4> Set the desktop picture to something you know the name of (you will use

> this to find the key in the registry).

> 5> Logoff the user account.

> 6> Logon using another unrestricted admin account.

> 7> Load Registry Editor. Click on HKEY_USERS so it is highlighted. Go to

> File and "Load Hive". Navigate to C:\Documents and Settings\accountname

> and

> find the user.dat of the user account above that you wish to secure. Load

> the hive. Call it 1 (very important to just call it 1 or the script won't

> work)

> 8> Copy the below settings into Notepad and save into SecureSettings.reg.

> 9> While regedit is still open, double click the file and say "yes" to

> enter

> it into the registry. Make SURE it confirms it was correct. Go to the

> HKEY_USERS\1 and see if the settings are there.

> 10> You can make additional settings if you can find the settings you want

> in the system.adm

> 11> Click on the folder 1 (that you added) and then go to File - Unload

> Hive. VERY important step. The profile won't read if it is loaded in

> regedit

> and it won't unload unless you unload it manually.

> 12> Logoff regular admin and logon with the user account to see if the

> restrictions worked.

>

> Now I have never edited a profile directly this way. What I usually do is

> use the My Computer - Properties - Advanced - Profiles section to copy the

> profile to another location (giving everyone full access), then load the

> user.dat in regedit. I then copy the Contents of the profile (or just the

> user.dat) back over top of the profile in the C:\Documents and Settings.

>

> You can then change the user.dat to user.man. I have success with this at

> the server level for roaming but I have never actually done it for local

> profiles.

>

> <snip>

>

> Windows Registry Editor Version 5.00

>

> [HKEY_USERS\1\Software\Policies\Microsoft\Internet Explorer]

>

> [HKEY_USERS\1\Software\Policies\Microsoft\Internet Explorer\Restrictions]

> "NoBrowserContextMenu"="1"

>

> [HKEY_USERS\1\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

> "NoTrayContextMenu"="1"

> "NoViewContextMenu"="1"

> "NoChangeStartMenu"="1"

> "{645FF040-5081-101B-9F08-00AA002F954E}"="1"

>

> [HKEY_USERS\1\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum]

> "{645FF040-5081-101B-9F08-00AA002F954E}"=dword:00000001

>

> <end snip>

>

> Cheers,

> Lara

Thanks a lot...

Guest lforbes

Guest lforbes

Posted
Posted

Re: [W2K3]Empty desktop

 

> The point is that to use the only proram they have to run, my users have to

> be admin. But they don't know they are admin.

 

Fair enough. I just have some very innovative users who, if given any type

of access, will exploit it to the best of their ability. Many are programmers

who through any batch file can pretty much execute any admin command if they

have the access.

> In that case, you can apply a local policy for all users except those who

> belong to the admin group...

 

Well sort of I guess but not really. It is a profile hack instead. In the

NT days, there was a program called poledit.exe which basically made

permanent changes to a persons profile registry (ntuser.dat). In order to

undo the changes you had to actually reverse them.

 

In a domain you use Group Policy, but in a workgroup like yours, there is

local policy. However all local policy is, is a registry modification. When

you use the Local Policy GUI it affects all users because there is no way to

differentiate between users. It also keeps reapplying even if you DELETE the

profile. If you do the hack like I showed, it only affects the one profile

and if you decide later to not have it you can just delete the profile and it

will be gone.

 

Let me know how it works.

 

Cheers,

Lara

Guest lforbes

Guest lforbes

Posted
Posted

Re: [W2K3]Empty desktop

 

Wow, thanks for the link to that. I will have to read up on it. I am not sure

if it is a domain thing or a workgroup thing though.

 

Cheers,

Lara

 

"PhilTheGap" wrote:

> For some reason, I don't need anymore to lock the desktop of my admin user.

>

> But, I was given this link on the XP NG: Windows SteadyState

> http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

>

> Do you know it ?

>

> Philippe

>

 Share
Go to topic listing
×
×
  • Create New...