Lockdown users on Windows Server 2012

Posted by el.severo on Server Fault See other posts from Server Fault or by el.severo
Published on 2012-10-20T15:12:18Z Indexed on 2012/10/20 17:03 UTC
Read the original article Hit count: 215

I set up a Active Directory on a server machine with Windows Server 2012 and I'd like to create some users with limitations like Windows Steady State does in Windows XP (locally).

Seen already the Windows SteadyState Handbook (with Windows Server 2008), but I'd like to know if anyone has tried this before, the limitations are the following:

1. Prevent locked or roaming user profiles that cannot be found on the computer from logging on
2. Do not cache copies of locked or roaming user profiles for users who have previously logged on to this computer
3. Do not allow Windows to compute and store passwords using LAN Manager Hash values
4. Do not store usernames or passwords used to log on to the Windows Live ID or the domain
5. Prevent users from creating folders and files on drive C:\
6. Lock profile to prevent the user from making permanent changes
7. Remove the Control Panel, Printer and Network Settings from the Classic Start menu
8. Remove the Favorites icon
9. Remove the My Network Places icon
10. Remove the Frequently Used Program list
11. Remove the Shared documents folder from My Computer
12. Remove control Panel icon
13. Remove the Set Program Access and Defaults icon
14. Remove the Network Connection(Connect To)icon
15. Remove the Printers and Faxes icon
16. Remove the Run icon
17. Prevent access to Windows Explorer features: Folder Options, Customize Toolbar, and the Notification Area
18. Prevent access to the taskbar
19. Prevent access to the command prompt
20. Prevent access to the registry editor
21. Prevent access to the Task Manager
22. Prevent access to Microsoft Management Console utilities
23. Prevent users from adding or removing printers
24. Prevent users from locking the computer
25. Prevent password changes (also requires the Control Panel icon to be removed)
26. Disable System Tools and other management programs
27. Prevent users from saving files to the desktop
28. Hide A Drive
29. Hide B Drive
30. Hide C Drive
31. Prevent changes to Internet Explorer registry settings
32. Empty the Temporary Internet Files folder when Internet Explorer is closed
33. Remove Internet Options
34. Remove General tab in Internet Options
35. Remove Security tab in Internet Options
36. Remove Privacy tab in Internet Options
37. Remove Content tab in Internet Options
38. Remove Connections tab in Internet Options
39. Remove Programs tab in Internet Options
40. Remove Advanced tab in Internet Options
41. Set a home page (Internet Explorer)
42. Restrict the possibility to change desktop image
43. Restrict the possibility to change wallpaper
44. Restrict usb flash drives

Any suggestions for this?

UPDATE:

As @Dan suggested me I'd like to specify that would be applied to a educational scenario where students can login from a computer and want to add some restrictions to them.

© Server Fault or respective owner

Related posts about active-directory

Related posts about group-policy