[Samba] desktop lockdown on win2k / xp
kyle at navegalia.com
Mon Dec 1 09:48:37 GMT 2003
I'm just about to shoot on my foot so I wanted to check if there is
something else to blow my full leg actually ;-))
I have setup a working Samba 3 PDC controller with user authentication and
roaming profiles. I want to lock down [*] the desktop on client machines
(win xp) as I did with poledit (NTConfig.POL) on Win9x/WinNT4 machines.
[*] Lock downs suck as : disabling msn messenger, disabling some IE
cappabilities, disabling some harmful programs (outlook.exe
premium-rate-dialer.exe ...), hiding access to disk drives...
Since the only possible way to do this (according to what I have read) is
using some Active Directory group policies, and taking into account that
samba 3 isn't capable (yet) of acting as a AD server, I have to find another
I've thought of building a specially crafted .reg file (actually a set of
them) which will be imported in each logon on the machine; that way, I can
control the way the desktop acts for each user.
I will have a "general.reg" file for common lockdowns, some specific
"group-A.reg", "group-B.reg" files for each group and finally some
"user-A.reg" with specific lockdowns (or not) for special users.
I know this isn't great security since any user would be able to craft a
.reg file themselves and revert the lockdown... but for average user this
could be ok... :-)
Window$ Macht Frei!
More information about the samba