Prevent registry changes by users

Posted by graf_ignotiev on Super User See other posts from Super User or by graf_ignotiev
Published on 2012-06-04T22:19:20Z Indexed on 2012/06/04 22:42 UTC
Read the original article Hit count: 312

Filed under:
|
|

Background: I run a small computer lab of 10 computers using Windows 7 x64 Enterprise. Our users are set up as limited users. For additional restrictions, I set up local group policy for non-administrators using the microsoft management console.

Problem: Recently, I found out that some of these restrictions had been removed. Reviewing the settings MMC and in ntuser.pol showed that the settings should still be in place. However, the related registry settings were missing in ntuser.dat. I already have registry editing disabled in the GPO (though not in silent mode).

Question: What is the best way to deal with this situation? Should I look into preventing registry setting changes? Should I set up registry auditing to found out how these keys are getting changed in the first place? Or should I give up the ghost and write some kind of logon script that enforces registry values if they've been change? Any other ideas?

© Super User or respective owner

Related posts about security

Related posts about registry