hello everyone in my organization we dont have domain we have workgoup and its on windows 7
they have asked me to restrict users to open certain application and disable USB and cd rom
i tried to do it with gpedit.msc by following these steps
gpedit.msc >computer configuration >security setings >application control >applock under app lock
clicked on executable rule then right click and select new rule > permission deny > file hash > and the selected notepad.exe
one more things i choosed the user name i created and applied on it.
but the notepad gets denied on every user i have even administrator.
same thing happens when i disable USB and cd rom.
is there any way to deny access of the application on a user level and the application or USB/CDROM prompt for the administrator password to use that application or USB/CDROM
please HELP its very urgent.
GOKAY thanks it worked now i can apply policies on users. i disabled the control panel looked for it in run clicked it and the message i got was contact your administrator that is good, problem one is solved
second problem is deny access of the application on a user level and the application or USB/CDROM prompt for the administrator password to use that application or USB/CDROM . for example i right click on usb or an application run it as administrator give them acceess for a certain time and the the time expires automatically. and i dont need to login physically as an administrator. cause i need to do the same task remotely in different locations
parental is the last option i have. i was hoping for something better like in active directory a user get prompted or if we right click the application or usb drive and run it as administrator then we can access it, but it seems like there is no way to do it in a standalone OS. lets see what happens when i tell this to my BOSS
thank you for your support and help really appreciate it.
Do you have UAC enabled? You can try right click running as admin for programs. But I have no idea if you are supposed to be asked for admin credentials when trying to start a locked device.
My Computer
At a glance
Windows 7 Ultimate x64 SP1AMD Phenom 2 1090T2x8GB Kingston HyperX Fury Black 1600Mhz Unga...MSI GTX 970 Gaming 4G
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Windows 7 Ultimate x64 SP1
CPU
AMD Phenom 2 1090T
Motherboard
Gigabyte GA-890FXA-UD5
Memory
2x8GB Kingston HyperX Fury Black 1600Mhz Unganged
Graphics Card(s)
MSI GTX 970 Gaming 4G
Sound Card
Realtek On-Board HD 7.1 Audio / Logitech G35
Monitor(s) Displays
3xAcer GD245HQ
Screen Resolution
1920x1080
Hard Drives
Samsung 850 Pro 512GB SSD - OS /
WD Caviar Black SATA 3 - 1 TBx2 - Dynamic RAID 0 /
WD Caviar Green SATA 2 - 640GBx2 - Dynamic RAID 0 /
WD Caviar Green SATA 2 - 640GB - Internal Backup /
Seagate Barracude SATA 3 - 3TB - External Backup/ Sync
PSU
HighPower 1000W
Case
Cooler Master HAF 932
Cooling
Noctua NH-D14
Keyboard
Logitech G19
Mouse
Logitech G500
Internet Speed
100/4 Mbit Cable (100GB quota)
Antivirus
ZoneAlarm Extreme Security / MBAM Pro / MBAE Free / SAS Free
...for example i right click on usb or an application run it as administrator give them access for a certain time and the the time expires automatically. and i dont need to login physically as an administrator. cause i need to do the same task remotely in different locations
That is not going to happen at the application level automatically using Group Policy or Parental Controls.
If I am understanding you correctly...
...you could get a phone call from a user at 9am
...you remote into a the computer being used by that user
...you right-click on an app and select run as admin from the context menu
...you enter the admin credentials
...you end your remote control session
...the user that called you uses the app that you started
...that app automatically ends one* hour after you started the app.
There are lots of apps that will install without admin rights. Chrome is one of them. I see that you are locking out portable apps by locking out USB/CD/DVD. Hopefully, the computers do not have Bluetooth.
I cannot help much with the lock down and I doubt that you can find an easy way to limit the time that an app runs for a user. It would probably require 3rd party software. A scripting tool like Powershell or AutoIt might do what you want... but you would have to write the code.
If I am understanding you correctly...
...you could get a phone call from a user at 9am
...you remote into a the computer being used by that user
...you right-click on an app and select run as admin from the context menu
...you enter the admin credentials
...you end your remote control session
...the user that called you uses the app that you started
...that app automatically ends one* hour after you started the app.
*or some other length of time.[/QUOTE]
UsernameIssues yes this is exactly what i need.
just now i tried to install nero on a standard user i created and its able to install that program. thats not good.
I was restating part of what you wanted so that others would know that Parental Controls and Group Policies would not do that. Windows will not limit the time that a user can use an app like I described without 3rd party software. I don't know of any software that will do this. Someone might need to write it within your company.
Users may have problems running software using credentials other than their own. For instance, if the user tries to save a file to the desktop, it will be saved to the desktop folder under your user profile, not their desktop folder.
As far as preventing installations and the running of portable apps, you might be able to do this via white listing apps in local policies. You should experiment on frozen Virtual Machines.
