Using MMC and GPO to AQL your WXP (WTF!?)

What’s all that nonsense mean?  Simply this:  Sometimes a restricted user account isn’t enough.  You can lock down your Windows XP machine in order to prevent it from being modified in any way, without your intervention or approval.    It’s possible to create an environment that provides access to ONLY what is needed and discreetly prevent access to system controls, applications, and settings.

This is important if you have:

• Kids that need access to homework programs but not games…
• Employees that know enough about computers to be dangerous…
• Students that spend more time changing wallpaper than doing work…

Think of the possibilities!

• Place shortcuts on the desktop to only the needed programs.
• Remove access to “My Computer” and the “Start Bar”.
• Prevent further Desktop changes.

KA-KOW!  In just a few clicks you have a fully-functional machine that’s locked down against accidental, malicious, or unwarranted changes.  Is it really that easy?  YUP!  Let’s get started!

Resources Needed:

• Windows XP Professional machine (edit: thanks for the heads up JM!)
• Patience

Microsoft has a great tutorial online that can be found here.  I recommend you check it out for a more thorough understanding of Group Policy Objects, or GPO’s .  The following is taken from their website:

How to Start the Group Policy Editor

NOTE: You must be logged on to the computer using an account that has administrator privileges in order to use Group Policy Editor.

*Method 1*

1. Click Start, and then click Run.
2. In the Open box, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Add.
5. Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
6. Click Close, and then in the Add/Remove Snap-in dialog box, click OK.

*Method 2*

NOTE: You can start the Group Policy Editor snap-in from the command line. This automatically loads the Local Computer GPO. To do this, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type Gpedit.msc, and then click OK.

The selected GPO is displayed in the Console Root.  (edit:  Now we can start making changes!!)

How to use the Local Computer GPO to Modify XP Settings

In this example, we will use the Group Policy Editor to temporarily remove the Turn Off Computer button from the Start menu. To do this, follow these steps:

1. Start the Group Policy Editor and open the Local Computer policy by using *Method 1* or *Method 2*.
2. Expand User Configuration (if it is not already expanded).
3. Under User Configuration, expand Administrative Templates.
4. Click Start Menu and Taskbar.
5. In the right pane, double-click “Remove and disable the Turn Off Computer button”.
6. Click Enabled, and then click Apply.
7. Click Start.  Notice that the Turn Off Computer button is no longer displayed.
8. Select the “Remove and disable the Turn Off Computer button” dialog box.
9. Click Not Configured, then click Apply, and then click OK.
10. Click Start.  Notice that the Turn Off Computer button is again displayed on the Start menu.
11. Quit the Group Policy Editor snap-in.

That should give you a good idea of the ease and power of GPO’s.  Take some time and look around to get a feel for your options.  You can prevent the wallpaper from being changed if you look under the Display options.  Perhaps you’d like to turn off the rarely used Help on the Start Menu?  Look no further than the Start Menu and Taskbar folder.

A word of warning:

• Don’t make too many changes at once if you’re unsure of the results.  Make a few changes at a time.
• DOCUMENT EVERYTHING.  The better notes you take, the better off you’ll be.
• READ EVERYTHING TWICE.  Some of the language can be tricky, like ” Disable Balloon Tips – - Enable / Disable ? “

I hope this gives you a few more tools in your arsenal to keep those gremlins at bay.  Feel free to hit me up with any questions you may have.

~A