General discussion

Locked

Profile Manager

By Datacon ·
I need to limit the desktop and access to network shares on my net. My biggest prob is that my databases need to give full control to the users so I can't limit access there. I need to hide network neighborhood and windows explorer and dos prompt. I serve a w2k database from win 2000 server and also a dos based dbase from novell server so users must have access to those programs on desktop or start menu. Can you give me some ideas. Thanks.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Profile Manager

by Ann777 In reply to Profile Manager

Desktop restrictions can be implemented by editing the following Explorer values in the registry: (all values default to 0)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoCommonGroups REG_DWORD
set it to 1 so that common program groups do not appear on the Start menu.

NoDesktop REG_DWORD
set it to 1 to hide all desktop icons.

NoDrives REG_DWORD
The low order (right most) bit is drive A: while the 26th bit is Drive Z:
To hide a drive, turn on its' bit. These drives will still appear in File Manager. To remove File Manager, delete winfile.exe.
If your not happy working in Hex, add these decimal number to hide the drive(s):
A: 1, B: 2, C: 4, 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, ALL: 67108863

NoFileMenu REG_DWORD
If set to 1, the File menu in Explorer is removed.

NoFind REG_DWORD
set it to 1 to remove the Find command from the Start Menu.

NoNetConnectDisconnect REG_DWORD
A value of 1 removes the "Map Network Drive" and Disconnect Network Drive menu and right click options.

NoNetHood REG_DWORD
Set it to 1 to remove the Network Neighborhood icon and prevent network access from explorer (it will still work from a command prompt).

Collapse -

Profile Manager

by Ann777 In reply to Profile Manager

NoRun REG_DWORD
If set to 1, the Run command is removed from the Start menu.

NoSetFolders REG_DWORD
Set it to 1 to hide Control Panel and Printers and My Computer in Explorer and on the Start Menu.

NoSetTaskbar REG_DWORD
If set to 1, only Drag and Drop can be used to alter the Start Menu and Desktop. The Taskbar does not appear on the Start Menu.

NoTrayContextMenu REG_DWORD
If set to 1, menus do not display upon right click of the taskbar, start button, clock, or taskbar application icons. The entry is only available for NT 4.0 with SP 2 or greater.

NoViewContextMenu REG_DWORD
If set to 1, menus do not display upon right click of the desktop or Explorer's results pane. The entry is only available for NT 4.0 with SP 2 or greater.

RestrictRun REG_DWORD
Set it to 1 and only programs that you define at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
can be run on the Workstation.

NoClose REG_DWORD
Set it to 1 to remove the ShutDown button from the Start Menu. This does not disable shutdown from CTRL+ALT+DEL. To totally disable a users ability to shutdown, remove the "advanced" right to "Shutdown the System" from Policies/User Rights of User Manager for Domains.

To really lock down the desktop, replace the Explorer or Progman shell with your own launcher. Edit HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell and replace the current .exe with YourOwnLauncher.exe.

Collapse -

Profile Manager

by Ann777 In reply to Profile Manager

If you don't want to remove Network Neighborhood from the desktop, you can add the following network restrictions:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network

Add Value of NoEntireNetwork as type REG_DWORD.Set it to 1.

and/or

Add Value of NoWorkgroupContents as type REG_DWORD. Set it to 1.

Collapse -

Profile Manager

by Ann777 In reply to Profile Manager

Explorer restrictions that could be implemented via registry changes. Here a few more that I have found at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. All are type REG_DWORD with a default value of 0.

EnforceShellExtensionSecurity - A value of 1 causes Windows NT to only load the shell extensions listed in the Approved subkey (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved).

NoDriveAutoRun - A bitmapped value that determines wether the autorun feature is disabled on that drive. If the drives bit is set to 1, autorun is disabled.

NoSaveSettings - A value of 1 prevent changes to the positions of icons and open windows, and the size and position of the taskbar from being saved. Also set NoSetTaskbar.

NoStartBanner - A value of 1 hides the arrow and Click here to begin caption that appear on the taskbar when you start Windows NT.

NoStartMenuSubFolders - Hides the folders at the top section of the Start menu when the value is set to 1. Items appear, but folders are hidden.

A few more restrictions are located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network:

NoWorkgroupContents - If the value of this entry is 1, Network Neighborhood does not display computers in the local workgroup or domain.

NoEntireNetwork - A value of 1 restricts Network Neighborhood from displaying or accessing computers outside the local workgroup or domain. The user can still use the Start/Run, Map/Connect Network Drive, and the Command Prompt.

Collapse -

Profile Manager

by Datacon In reply to Profile Manager

Thanks so much..this was very useful..you are a genius :)

Collapse -

Profile Manager

by Desktop Jinx In reply to Profile Manager

One alternative is to launch the application under different security. (Remember Novell Application Launcher?)

For an NT share, I rolled my own solution by writing a little stub program that calls the Windows API function CreateProcessWithLogonW.I create an appDatabase1 account, give that account full access to the appropriate share and any elevated privileges it may need on the workstation, then my stub uses that account to run the app.

You could probably do something similar with Novell.

Related: Check out Microsoft's EPAL.

The benefit of this approach is that you don't have to lock down and neuter the whole machine.

Keep in mind that with the lock-down approach a determined user can still do damage through the common open file dialog unless you neuter that as well.

Good luck.

Collapse -

Profile Manager

by Datacon In reply to Profile Manager

Poster rated this answer

Collapse -

Profile Manager

by Datacon In reply to Profile Manager

This question was closed by the author

Back to Windows Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums