I am running Windows 7 Ultimate Edition SP1 x64 (Build 7601) in WORKGROUP mode (Non-NT_Domain, Non ADDS environment). I am the Administrator of these machines and Network. My setup is only a few computers (4x total, more are planned though) all configured with same/similar settings on a local LAN + Restricted Internet access filtered/firewalled through another Non-Windows custom "WRT-ish" router-appliance machine, nothing fancy, mostly default OOBE settings so far, no Local GPOs (Yet...Pending), Restricted Powershell Script Execution Policy, UAC up to Max, Firewall Default (handled elsewhere), Administrator Account Disabled.
Each computer has multiple user accounts and one "BOSS" account that is a member of the local Administrators group. The issue I am having is that the Users (some of them teenagers... sigh.) have by default, WAY too much access to computer settings including log-files/.log/.config files/WMI/CIM-Cmdlets/MMC/Powershell.exe/netsh.exe/CMD etc...
To make matters worse (At least from what I can observe/understand which I find frustrating), Windows very permissively "Assumes" that each new user I create is now the new "Owner" of the Machine: (To clarify what I mean for example the last user that changes Sleep/Power Settings or Internet Settings --> Proxy Settings in CP for example, then those settings are applied Globally and are "sticky" until some other Bugger changes them. Regardless of weather I set it via MY Admin/Boss Account)
One pesky User once changed IE Home Page to http://www.b*ttl3guy.com shocker-site. Another clever User Accessed another Users' Browsing History and accessed her E-mail via Powershell script snippet he copied and pasted into that PowerShell Blue-Window-Console (Even with exec-policy set to Restricted which apparently only prevents execution via files). Why is WMI sensitive sys-info gleaning allowed to all users by default? AFAIK at least on most *Nix systems, even a default BASH wouldn't allow any File/Dir Traversal nonsense to basic Users. Plus,you can restrict Shells available to users, and set limits on things like Max Processes allowed, also a Skel template system. Sorry, I'll stop the Windows-Bashing... Users apparently need their Candy-Cane Aero Desktop and mIRC and something called Win-Amp so...(Is GroupPolicy the best way to set these limits?) ...
I realize these are mostly my own misunderstandings and Non-Windows Exp. I just find the *Unices somehow easier to tame...
Now I could disable CP via local gpedit.msc for non Admins but, then Users can just by-pass this restriction I'm sure using Win + R or Start --> cmd, %Windir%/System32/*.cpl or Powershell etc...
My question is can I set Windows to, by Default assume that each New User I create is an Evil Malicious Terrorist from Hell and not the New "Owner" of the Machine (allowing to change Power Settings/Proxy etc...) ?
I can not seem to find any good articles that don't involve a AD-Domain
My goal is a system where by default, new Users I create can NOT arbitrarily:
- Change/Access CP Settings
- Access CMD,MMC,Powershell (I realize Powershell.exe is not actually the culprit giving users access it's built-in .Net Frame-Work)
- View Application/System/ or Any other Logs
- Access WMI or Glean System/Other Users files/logs
- CTL-ALT-Delete --> TaskManager
- View/Traverse Other Directories not in their "C:\Users\Little-Rugrat" Pigeon Hole
- Start thousands of processes
- Fill up the HD with garbage bytes like porn/files/randomness
* A Police State Essentially * :P
I realize Local Group-Policy could probably accomplish all this but not having the Domain Infrastructure required, won't scale well here. I'd have to become an "Intern Net" and apply each GPs to each PC and maintain Sync... (I do not understand how the Admin Templates work. I'm still researching this on Technet. (.ADM, .ADMX, .INF, .INI, .POL, Which one ???). Does anyone have a good sample one handy or link to good Docs about this?)
Or perhaps a FOSS GPO "Pusher" I'm not aware of... ?
Any help/info/comments/pointers/examples/sample-configuration-files would be much appreciated. :)
P.S.: I have mostly only previous Unix/Sun-OS/Solaris/Fedora/GNU-Linux Admin experience. Sorry about any incorrect/misused Micro$oft Terminology.
P.P.S.: I Admin System for a small youth center without a big budget for MS-Domain/Server-ADDS Bloat-ware Setup.
I'm really trying to adhere to the K.I.S.S. Principal...
Thank-You,
and Salutations.
Wendy P. Marshall