temp

Lock Down Desktop Using Group Policy

This is how I recently configured the User Configuration section in Microsoft’s Group Policy to lock down the desktop of an end users’ machine. I am running these settings on a Windows 7 Professional end client machine. These settings are great for restricting user accounts to only access the areas and applications you specify. In this case, the user account can only access an application if I add it to the desktop as a shortcut, pin it to the taskbar (Windows 7) or add it to the Quick Launch bar (Windows XP), or launch it via the group policy itself. If you are looking to lock down and restrict access based on a user account these policy settings are a great place to start.

This policy configures Internet Explorer to launch after the user logs in. If you want a different application or several applications to launch just change it in System/Logon section.

Policy Settings

General -> Links
Location Enforced Link Status Path
Users No Enabled /Users

This list only includes links in the domain of the GPO.

Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Computer Configuration (Enabled)
No settings defined.
User Configuration (Enabled)
Policies -> Administrative Templates -> Policy definitions (ADMX files) retrieved from the local machine.

Control Panel
Policy Setting Comment
Prohibit access to the Control Panel Enabled

Control Panel/Add or Remove Programs

Control Panel/Personalization

Control Panel/Printers

Control Panel/Programs

Control Panel/Regional and Language Options

Desktop

Network/Offline Files
Policy Setting Comment
Prevent use of Offline Files folder Enabled
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.
Policy Setting Comment
Remove ‘Make Available Offline’ Enabled
Turn off reminder balloons Enabled

Network/Windows Connect Now

Shared Folders

Start Menu and Taskbar
Policy Setting Comment
Add Logoff to the Start Menu Enabled
Add Search Internet link to Start Menu Disabled
Change Start Menu power button Enabled
Choose one of the following actions Restart
Policy Setting Comment
Clear history of recently opened documents on exit Enabled
Clear the recent programs list for new users Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
Do not search for files Enabled
Do not search Internet Enabled
Do not search programs and Control Panel items Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from rearranging toolbars Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove Balloon Tips on Start Menu items Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Remove Downloads link from Start Menu Enabled
Remove drag-and-drop and context menus on the Start Menu Enabled
Remove Favorites menu from Start Menu Disabled
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs list from the Start Menu Enabled
Remove programs on Settings menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove Search Computer link Enabled
Remove Search link from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
Remove user folder link from Start Menu Enabled
Remove user’s folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show QuickLaunch on Taskbar Disabled
Turn off all balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off personalized menus Enabled

System
Policy Setting Comment
Don’t display the Getting Started welcome screen at logon Enabled
Prevent access to registry editing tools Enabled
Disable regedit from running silently? No
Policy Setting Comment
Prevent access to the command prompt Enabled
Disable the command prompt script processing also? No
Policy Setting Comment
Windows Automatic Updates Enabled

System/Ctrl+Alt+Del Options
Policy Setting Comment
Remove Change Password Enabled
Remove Lock Computer Enabled
Remove Task Manager Enabled

System/Logon
Policy Setting Comment
Run these programs at user logon Enabled
Items to run at logon
“c:\program files\internet explorer\iexplore.exe”

Windows Components/Desktop Gadgets
Policy Setting Comment
Turn off desktop gadgets Enabled
Turn Off user-installed desktop gadgets Enabled

Windows Components/Internet Explorer
Policy Setting Comment
Turn off Favorites bar Enabled

Windows Components/Internet Explorer/InPrivate
Policy Setting Comment
Turn off InPrivate Browsing Enabled
Turn off InPrivate Filtering Enabled

Windows Components/Internet Explorer/Internet Control Panel

Windows Components/Internet Explorer/Toolbars

Windows Components/Windows Explorer
Policy Setting Comment
Remove Windows Explorer’s default context menu Enabled