Securing Computers with Group Policy (a simple example -- part 2)

by Greg Thatcher, MCSD, MCDBA, MCSE

At this point, you should have the user accounts for Anne, Ben, and Betty in the Accounting OU. If not, return to the previous page.

Accounting OU

Right click on the Accounting OU and choose Properties.

Right click on Accounting OU

Then click on the Group Policy tab, and then click on the "New" button. Rename the policy "Accounting Group Policy" as shown in the figure. Then, click on the "Edit" button.

OU Properties

In the left pane, navigate to User Configuration->Windows Settings->Internet Explorer Maintenance->URLs. In the right pane, double click on "Important URLs".

Important URLs - Home Page

Change the Home Page URL to a web page of your choice. When a user from the Accounting Department launches Internet Explorer, they will automatically be sent to this page.

Home Page

Next, navigate to User Configuration->Administrative Templates->Control Panel and double click on "Disable Control Panel" in the right pane.

Disable Control Panel

Click on the "Enabled" button, and then click on "Apply". This will prevent Accounting personnel from using Control Panel applets to re-configure their machine.

Control Panel

Finally, navigate to User Configuration->Administrative Templates->Start Menu & Taskbar and double click on "Remove Run Menu from Start Menu". Set this policy to "Enabled" to prevent people in Accounting from using the "Run" menu.

Run Menu

The next time someone from Accounting logs into their computer, you will notice that their home page has changed, they can't run Control Panel applets, and they don't have a run menu (provided that your Active Directory Domains is set up correctly).

Hint: If Group Policy in particular or Active Directory in general are having problems, you should immediately check two main suspects:

  • 1.) Time: Make sure that the clocks on your workstations and domain controllers are within 5 minutes of each other. If the clocks are out of sync by more than 5 minutes, Active Directory (actually, a component of it called "Kerberos") becomes very angry because it thinks someone is launching a "replay" hacker attack against it -- to prevent this, consider setting up an ntp server, and using the "net time" command to sync all your clocks.
  • 2.) DNS: DNS is a big subject. To keep things simple, make sure that all of the machines in your enterprise that are members of your Active Directory domain ONLY use your Domain Controllers as DNS servers. Don't use any other DNS servers. Yes, you can setup your domain to use other DNS servers (e.g. Bind), but you will need to understand Active Directory's DNS needs extremely well before doing so. In particular, you will need to understand SRV records and dynamic updates, and how these DNS features are vulnerable to exploitation by hackers.

Browse through the various User Configuration settings, and notice the many policies you can set for your users. Should you not find the policy you are looking for, you will need to create a custom Administrative Template (these will be covered in a future article). In addition to "User Configuration", you can also configure Computers using Group Policy.