1

We have a single PC that requires the following accounts:

  1. 2x Admin accounts for each named responsible administrator (That's me and my boss). The accounts have to be associated with our names for security logging as per the company policy.
  2. Nx User accounts which are all locked down to prevent right clicking the desktop, accessing the control panel, visiting any more than one specific web-site etc. (This PC is ultra secure for processing of credit card data and these restrictions are mandated by security policy)

Most of the time the PC will be used by one bog-standard user who will operate the machine all day. They have their own PC which falls outside of our secure network provisioning where they will do most of their work in the day. Hence the configuration should be set to make the screensaver come on after two idle minutes and require a password to unlock the machine.

Here's the killer. Although the gpedit.msc will allow us to configure such a policy for the administrators it doesn't apply to the locked down users and you can't change the settings while logged in as a locked down user. Is it possible to force this policy across all accounts on the machine from an administrator's account? Or do we have to go through the lengthy process of reversing the lockdown on user accounts, having them log in, setting the policy for their user and then locking the account down again?

EDIT: Paper policies prohibit me from downloading software, plugging in key drives or installing new software on the box without going through a very long paper trail. Whatever the solution to this is it has to be something I do by entering changes into the OS manually, so registry edits are acceptable but GUI based actions are preferable as I'm really a software developer not a networks guy or systems administrator. The simpler the better, basically.

One Monkey
  • 179
  • 1
  • 11
  • 1
    this is tagged with group policy but it seems like you don't have a domain for these workstation is that correct? – tony roth Nov 30 '10 at 17:43
  • its very important to know whether or not this machine is in a domain (if it's supposed to be a secure machine hopefully it is) – Jim B Nov 30 '10 at 18:13
  • No no actual domain. The set up is, rather ridiculously, a single PC on its own network completely isolated from all other machines in the office plugged into a behemoth of a firewall and thence attached to its own dedicated link to the outside world. In a way it is its own domain but only in a semantic sense not in a technical one. – One Monkey Dec 01 '10 at 10:36

1 Answers1

1

read the following

http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx

tony roth
  • 3,884
  • 18
  • 14
  • Thank you. However the link to NIST goes to a 404 so I can't see what all the policies would be easily. Also, and I realise I haven't downloaded this yet, we really want to apply only the policy described in my question not necessarily a list of other policies, although if I could at least see what they were we could take a view on that. Thanks. – One Monkey Dec 01 '10 at 16:59
  • http://nvd.nist.gov/fdcc/index.cfm – tony roth Dec 02 '10 at 02:56
  • Yes, thank you, managed to get a better overview of this now. I appreciate the effort but several secure network policies (the paper kind) prevent me running any of this software on the box and from what I gather Win7 is not an operating system covered by these executables anyway. Also it seems like a lot of trouble to get a screensaver to lock out and the idea of having to take several other security lockout features along with the screensaver lock out feature doesn't really appeal on principle. – One Monkey Dec 02 '10 at 10:17
  • the point is you can pick and choose your poison, the link was to show you the techniques used, its not all inclusive! Win7 is here http://usgcb.nist.gov/ – tony roth Dec 02 '10 at 15:48
  • In the end it turned out that SteadyState was interfering in the policy settings. – One Monkey Dec 08 '10 at 16:12
  • Please add the relevant information from the link to this answer. As you have now been active on the site for a while, you will know the link-only answer policy. – wizzwizz4 Oct 26 '17 at 10:02