GrinchyNet
I strive to bring you nothing of importance

How to Lock Down a User Profile Using Group Policy

Group Policy Settings

  1. Open up Active Directory Users and Computers
  2. Select the OU where the user account resides
  3. Right click and select properties
  4. Click the Group Policy tab
  5. Click the New button to create a new policy
  6. Give the policy a name and click the edit button
  7. Navigate to Computer Configuration\Windows Settings\Restricted Groups. Right click and select Add Group. Click the Browse button. Type in Administrators and click OK. Click OK again. Click the Add button next to Members for this group. Type in the user account name to be locked down and click OK. Click OK again. Repeat if necessary. Click OK when finished. The reason I do this is to avoid any issues with running applications. This is not a mandatory step.

From here on out I will list the policies that need to be enabled or disabled.

  • User Configuration\Administrative Templates\Windows Components\Windows Explorer
    • Remove the Folder Options menu item from the Tools menu - Enabled
    • Remove File menu from Windows Explorer - Enabled
    • Remove "Map Network Drive" and "Disconnect Network Drive - Enabled
    • Remove Search button from Windows Eplorer - Enabled
    • Remove Windows Explorer's default context menu - enabled
    • Hides the Manage item on the Windows Explorer context menu - Enabled
    • Hide these specified drives in My Computer - Enabled
      • This option is configurable to your needs. You can restrict all drives, some drives or whatever you may need.
  • User Configuration\Administrative Templates\Windows Components\Windows Messenger
    • Do not allow Windows Messenger to run - Enabled
  • User Configuration\Administrative Templates\Start Menu and Task Bar
    • Remove user's folder from the Start Menu - Enabled
    • Remove links and access to Windows Update - Enabled
    • Remove My Documents from Start Menu - Enabled
    • Remove Documents menu from Start Menu - Enabled
    • Remove programs on Settings menu - Enabled
    • Remove Network Connections from Start Menu - Enabled
    • Remove Favorites from Start Menu - Enabled
    • Remove Search from Start Menu - Enabled
    • Remove Help from Start Menu - Enabled
    • Remove Run from Start Menu - Enabled
    • Remove My Pictures icon from Start Menu - Enabled
    • Remove My Music icon from Start Menu - Enabled
    • Remove My Network Places icon from Start Menu - Enabled
    • Add logoff to the Start Menu - Enabled
    • Remove Drag-and-Drop context menus on the Start Menu - Enabled
    • Prevent changes to Taskbar and Start Menu Setting - Enabled
    • Remove access to the context menus for the taskbar - Enabled
    • Do not keep history of recently opened documents - Enabled
    • Clear history of recently opened documents on exit - Enabled
    • Lock the taskbar - Enabled
    • Remove Balloon Tips on Start Menu items - Enabled
    • Remove All Programs list from the Start Menu - Enabled
    • Remove user name from Start Menu - Enabled
    • Hide the notification area - Enabled
    • Do not display any custom toolbars in the taskbar - Enabled
    • Remove Set Program Access and Defaults from the Start Menu - Enabled
  • User Configuration\Administrative Templates\Desktop
    • Remove My Documents icon on the desktop - Enabled
    • Remove Recycle Bin icon from desktop - Enabled
    • Remove Properties from the My Documents context menu - Enabled
    • Remove Properties from the Recycle Bin context menu - Enabled
    • Hide My Network Places on the desktop - Enabled
    • Hide Internet Explorer icon on desktop - Enabled
    • Do not add shares of recently opened documents to My Network Places - Enabled
    • Prevent adding, dragging, dropping and closing the Taskbar's toolbars - Enabled
    • Prohibit adjusting desktop toolbars - Enabled
  • User Configuration\Administrative Templates\Control Panel
    • Prohibit access to the Control Panel
  • User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options
    • Remove Task Manager - Enabled
    • Remove Change Password - Enabled

You may have noticed there were no changes made to Internet Explorer settings. My environment does not have internet access so these settings are unnecessary but your environment may have access to the internet and you should explore those settings. I have a list of policy changes for IE and if you need them send me a message and I will fill you in.

Don't be afraid to try different settings out. This works for my environment and it may not be suitable for you.

Once these policies are changed run gpupdate /force from the command line and reboot the Windows XP computer. Log in as the user you created and check out what little access this user has.
<- Previous