Shulou(Shulou.com)06/03 Report--

Modify the group policy: in the user configuration > Administrative templates > Desktop > set the remove Properties option from the my computer context menu to enable, so that the user right-click on my computer, and the properties column will disappear. and in the control panel, system interface, users click "Advanced system Settings" or click "change Settings" in the computer name will not be reflected.

In fact, this is not very safe. You should know that the above policy is only for domain users. If a domain user with local administrator privileges creates a local administrator account and then logs in to the computer with this local administrator account, then exiting the domain can still be done.

Continue to modify the group policy:

First, user configuration > policies > Administrative templates > Windows components > Microsoft Management console > restricted / licensed snap-ins / extended snap-ins, find local users and groups, and configure them as disabled.

Second, user configuration > policies > Administrative templates > Control Panel, set the specified "Control Panel" item to be enabled, and add Microsoft.UserAccounts to the list of disallowed "Control Panel" items. This is the item where Win7 displays the management user account in the control panel.

3. User configuration > Policy > Administrative template > system, set not to run the specified Windows application to be enabled, add Netplwiz.exe to the list of applications that are not allowed to run, this is to start running the program that calls up the user account, and continue to add powershell.exe to the list of applications that are not allowed to run to prevent users from adding users under powershell. User configuration > Policy > Administrative templates > system, set the blocked access command prompt to enabled, and set "do you also want to disable command prompt script processing" to Yes in the options below. (there is a loophole in this method. The principle is to detect the program name. If the user renames the program, it can run it and then introduce how to use hash rules to restrict the running of certain programs.)

After the above three steps, domain users have no place to add local administrator accounts even if they have local administrator privileges. A more stringent and abnormal approach is that the client should also open the BIOS password and configure the local hard disk as the first startup item to prevent users from opening the local administrator account in the PE environment (systems above Win7 will disable the administrator account by default after joining the domain)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.