Keeping users focused, on track, and out of trouble is sometimes a dicey proposition. Since nothing is foolproof to a sufficiently talented fool, it's tough to keep users out of off-limit places and applications. Even though you have to be an administrator to make most system configuration changes, unwary users can still do damage to their machines. In addition, there's always the lure of the Internet Explorer icon right on users’ desktops, tempting them away from work. And even the network sometimes proves to be a dangerous place for some users. The solution to these wayward users is to apply restrictions to what users can and can’t do.
Sign up for the Windows 2000 TechMail
Our Windows 2000 Professional TechMail contains valuable information that can save you time and effort. Get valuable tips, links to Windows resources, and much more, all delivered straight to your inbox—absolutely free. Sign up for the Windows 2000 TechMail today!
In a domain environment, you can use group policies to apply restrictions at several levels, including domain, site, and organizational unit (OU). For example, you can configure the interface to hide drives in My Computer, hide the Internet Explorer icon, disable Add/Remove Programs, and use a boatload of other restrictions to keep users focused and out of trouble. You can apply the restrictions on a per-user or per-group basis, giving you very granular control over who can do what, when, and where.
In a workgroup environment, however, accomplishing the same thing is a lot tougher because the local group policy is intended to apply to all users, regardless of account or group membership. But with a little finesse, you can apply restrictions to individual users.
The Group Policy console
You use the Group Policy console to apply restrictions. Before you go rushing off to lock down your users, however, keep this in mind: The changes you're going to make will initially affect the local administrator account on each computer. Don't apply any restrictions that will prevent you from later removing the restrictions from the administrator account. You might want to temporarily create an account with membership in the Administrators group to use in case you have problems and need to undo the restrictions.
Here's how to fool Windows 2000 Professional into using different restrictions for users:
- Log on as Administrator.
- Go to Start | Run and enter Gpedit.msc in the Open dialog box to start the Group Policy console shown in Figure A.
- Open the User Configuration/Administrative Templates branch and change settings as desired to enable restrictions as needed. The settings for each restriction vary.
- Close the Group Policy console and log off; then log on again as Administrator to apply the change.
- Log off and log on as another user to verify that the restrictions are applied. Log off and then log on as each of the other users, in turn, to whom you want to apply the restrictions.
- Log on as Administrator and copy the file %systemroot%\System32\GroupPolicy\User\registry.pol to a backup location and name it UserReg.pol. Copy the file %systemroot%\System32\GroupPolicy\Machine\registry.pol to the same backup location and name it MachineReg.pol.
- Open the Group Policy console and remove the restrictions applied in step four. In some cases, you might need to use the opposite setting from the one applied in step three. For example, if you selected Enable to apply a given restriction, choose Disable to remove the restriction, rather than Not Configured (which applies no change to the registry).
- Close the Group Policy console and then copy the backup UserReg.pol file created in step six back to %systemroot%\System32\GroupPolicy\User\registry.pol, making sure to rename the file Registry.pol. Copy the backup MachineReg.pol created in step six back to %systemroot%\System32\GroupPolicy\Machine\registry.pol, making sure to rename the file Registry.pol.
- Log off as administrator and log on as one of the restricted users to verify that the restrictions are in place. Log off and then log back on as administrator to verify that the restrictions are not applied to the administrator account. As long as you didn't use your own nonadministrator account to log on in step five, that account will not have the restrictions applied.
Get great Windows 2000 tips like these sent directly to your inbox!
If you would like to read more Windows 2000 tips, sign up for the Windows 2000 Professional TechMail. Let us know what you think about this article by sending us an e-mail or by posting a comment below.