[Samba] desktop lockdown on win2k / xp

[kyle]

Hi guys,

I'm just about to shoot on my foot so I wanted to check if there is
something else to blow my full leg actually ;-))

I have setup a working Samba 3 PDC controller with user authentication and
roaming profiles. I want to lock down [*] the desktop on client machines
(win xp) as I did with poledit (NTConfig.POL) on Win9x/WinNT4 machines. 

[*] Lock downs suck as : disabling msn messenger, disabling some IE
cappabilities, disabling some harmful programs (outlook.exe
premium-rate-dialer.exe ...), hiding access to disk drives...


Since the only possible way to do this (according to what I have read) is
using some Active Directory group policies, and taking into account that
samba 3 isn't capable (yet) of acting as a AD server, I have to find another
solution :-)


<scary_solution>

I've thought of building a specially crafted .reg file (actually a set of
them) which will be imported in each logon on the machine; that way, I can
control the way the desktop acts for each user.

I will have a "general.reg" file for common lockdowns, some specific
"group-A.reg", "group-B.reg" files for each group and finally some
"user-A.reg" with specific lockdowns (or not) for special users.

</scary_solution>


I know this isn't great security since any user would be able to craft a
.reg file themselves and revert the lockdown... but for average user this
could be ok... :-)



Comments? ;-)




-- 
Window$ Macht Frei!