Work Study Project Help Please!


Recommended Posts

Hi,

I'm a newbie to the forum. I'm a freshman in college studying Computer Science. I'm currently employed in a work study position in the Computer Science department under the management of the department systems administrator. I work on development projects that will be used by the department and possibly the entire university. I've been working on several projects this semester, most of which were tricky and required me to do a lot of research on Google to figure out solutions, but for the most part, I was able to figure them out.

This one on the other hand, is one I've been trying to figure out for quite a long time. The project involves downloading and installing a free scanning software onto a standalone machine outside the university network. The machine then needs to be locked down, preventing users from accessing any other application or utilities except for the scanning application, which will execute upon logging onto the machine.

From the research I've done, there's essentially two ways this can work. One way is to use regedit.exe and invoke the necessary restrictions. The other way is to use gpedit.msc, which is basically a much simpler way of invoking these restrictions. At work, using gpedit.msc, I was able to get the scanning software to execute when a user logs onto the machine. The problem is of course is that this applies to all users, including the administrator, which is what I don't want. I understand that if not careful, gpedit can lock the administrator from all applications, including the registry and gpedit. In essence, what I'm trying to accomplish is to invoke restrictions on all users EXCEPT the administrator. I haven't been getting much help from the articles I've read on the internet on how to do this. During winter break, I'm toying around with my old windows xp home machine trying to find a solution to the project before heading back to school. Since home edition does not come with gpedit, I'm using regedit.exe to apply these restrictions. I configured it so that notepad will execute upon logon and that the user is restricted from using word pad. However, instead of applying to all users, the settings apply to only the Administrator.

I know that I'm doing something incorrect in my approach, but I just don't know what. In regedit, I implemented the desired settings in HKEY_CURRENT_USER key, but I have a feeling that it needs to be applied elsewhere. I understand that HKEY_CURRENT_USER is a subkey of HKEY_USERS the key where all user settings and profile information lie. Is this where I have to apply the desired settings? If so, how can you determine which SID corresponds to a specific user? Using the group policy approach, is there a way where I can create a group of associated users I want specific policies to apply to? If there is, please let me know because I have no idea how to do this.

Link to post
Share on other sites

http://iase.disa.mil/stigs/stig/index.html

do it the way we do..

securing a stand alone XP box is much harder since there is no group policy.

there is a thing call limited user account.. This will stop people from installing software

but I don't understand the true restrictions..

VDI is how we lock down our workstations.. or stateless installs.

if you don't know how to create groups and apply policy to them, then you have a lot to learn before messing with the registry. but I guess not working domain is your problem since you can not set group policy without it http://mcpmag.com/columns/article.asp?EditorialsID=1274

you could use windows scripting host and apply scripts in the users startup scripts. but enabling scripting host means a person can run bat files, which is a great way to hack a locked down pc with no permission to start a command prompt.

more specifics are need. But the most important lesson is that Windows is not a Multiuser OS. SO it is not designed to do what you are asking. UNIX was designed to do that as its a multiuser system. in order to overcome this MS create the ideal of domains where authentication did not happen on the client but at a central location. This way you could have different profiles for different users.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...