Friday, April 17, 2009

Lock down windows xp clients with windows server 2003

This took me a bunch of research so here is what I found worked best; after locking down the clients with a group policy object for the user's OU (do not modify default group policy) there were a few more things I wanted to do:
  • Disable right-click on desktop (start menu and task bar already disabled with policy)
  • Remove/hide Control Panel icon (but not all control panel functions - Date and time allowed for the specific application)
  • Remove/hide Printers and Faxes (no need for any printing anyway but group policy didn't have the option to do so)
First thing I had to find out is the registry keys for these tasks which are as follows:

Disable or remove right click ability - set to 1:
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu

Remove/hide Control Panel icon - set to 0:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel

Remove/hide Printers and Faxes - set to 0:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowPrinters

Next I need to push it to the systems via group policy, this was probably the trickiest part but turned out to be fairly simple as well. Create a new text file and type the following: (without =)
class user

category MySettings

policy "disable right click"
keyname "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
explain "here is the explaination"
valuename "NoViewContextMenu"
valueon 1
valueoff 0
end policy

policy "hide printers and faxes from start menu"
keyname "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
explain "here is the explaination"
valuename "start_showprinters"
valueon NUMERIC 0
valueoff NUMERIC 1
end policy

policy "hide control panel from start menu"
keyname "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
explain "here is the explaination"
valuename "start_showcontrolpanel"
valueon NUMERIC 0
valueoff NUMERIC 1
end policy

end category

Save this and rename the file to something.adm. Now under the policy editor of the policy you would like to apply these right click on Administrative Template and click Add/remove templates now browse to the folder you saved the .adm file and load it in. Finally choose enable on the policies which will be under user settings>MySettings in this example, refresh the policy (gpupdate), log off and log back in with the target users and your done!

They should now have no right click functionality on the desktop, no control panel (but still date and time granted - check this by double clicking the system clock; if it opens the time and date properties then it is good) and no Printers and faxes so the system is locked.

Let me know if it's clear enough!