1

How Can I lock down windows 7 for standard users only? I don't want a standard users to be able to do anything but open a remote desktop session logoff/restart/shutdown and lock computer.

What options to do select using Group Policy editor?

I am sorry I am new and need help

Mike
  • 265
  • 6
  • 13
  • well, I would like to do it for one machine. Then create an image and apply it to the rest of the machines. I don't know what is the best approach to do this but I was advise to use gpedit.msc to do that. I want to allow Administrator to have a full access and not restrict myself as well. – Mike Jan 16 '14 at 21:36
  • @JoeS yes that sounds like a plan. Thanks for your help – Mike Jan 16 '14 at 21:45
  • At the risk of being unhelpful, you want a thin client. So... why not just buy thin clients? Save yourself a bunch of money, and probably hassle too. – HopelessN00b Jan 16 '14 at 23:35
  • I would love to have thin client but I would have to get a licence that cost $110 every year for all of my PCS which I don't want to do. – Mike Jan 17 '14 at 00:33

1 Answers1

2

You need to do this via Group Policy for a group of machines - don't make an image with these settings pre-configured. Since most of the policies will be user policies but you only want this to apply when used on specific computers, you'll configure Loopback Processing Then, you can deny "Apply Group Policy" on the GPO for the administrators that you don't want it to apply to.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • I am sorry, but can you give me an easier answer to understand? This is my first time trying to play with group policys – Mike Jan 16 '14 at 21:57
  • 1
    Sorry, have you read Microsoft's documentation about what Group Policy is and how it works? That would seem to be a good start if you're out of your element. http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx – MDMarra Jan 16 '14 at 22:00
  • it seems that what you have gave me is for a server. I am trying to lock down a local machine and not a server. I just don't want a standard user to do anything on the local machine – Mike Jan 16 '14 at 22:11
  • Right. You configure group policy on your server(s). Domain Controllers distribute the Group Policy to your client computers. Maybe you should hire someone with some experience to assist you on this project. – MDMarra Jan 16 '14 at 22:15
  • Okay, let me make sure I understand. so If I create a group policy on the domain controller then when users log into any machine that we have they will have restricted access to any PC even if the PC it'self is not locked down? I don't know if it makes a difference or not that we are using roaming profiles. – Mike Jan 16 '14 at 22:41
  • Mike - Correct, the group policy is created on the DC (Domain Controller) and then applied to the workstations connected to your Domain. There is no point doing this via the PC itself as if you want to update the settings in future, you can make one change on the Group Policy and this will apply to all PC's (which are connected to your domain). I'd suggest reading up on the link @MDMarra provided as this isn't a small/easy task for someone who hasn't used GPO's before. –  Jan 16 '14 at 22:55
  • Thanks a lot. I will be taking your idea and running with it. Thanks a lot for your help – Mike Jan 16 '14 at 23:06