I have learned how to setup samba as the PDC on the network. Is it possible to setup ACLs to where the user is prohibited from installing programs, etc.?

Thanks,

ziggy

It depends on the operating system the client machines will be using. There are methods of controlling both Linux + Windows machines to lock down settings. Let us know a little more about what environment you're wishing to try this out with.

windows systems. I want to be able to set file/folder access control, which i can find by googling. but i can't find anything that goes into more depth, like regulating the CLIENT's machine that logs on thru the PDC.

Thanks

ACL's are Access Control Lists, which are associated with files and folders on a drive. You can't use ACL's if the filesystem doesn't support them. So that means you must have NTFS on the client machines. If they have fat32, then you can't limit what users can do with files, since they will be able to do anything with them.

When you create users on the PDC, they are added to the Global group called "Domain Users". This domain global group is a member of each client computer's (if they're members of the domain) local group called "Users". So by default, standard users can't modify system files (if you're using NTFS), and can't modify the registry. Both of these are typically required to install programs.

Keep in mind that there's a whole world of programs that will run from a thumb drive. They are standalone .exe files that don't need to modify or update system files, or make any changes to the registry. The only way to stop those is to impose a computer policy where only approved programs are allowed to run, such as explorer.exe (the shell), etc.

So in conclusion, some of it depends on how your client machines are configured (particularly their filesystem), and some depends on how tight you want you security to be. You can make the security super-tight, but remember that many Windows programs won't run properly for users if they have such limited access to the computer.

One last thing to consider is a program like DeepFreeze. This program restores the computer to exactly how it was when you enabled deep freeze. So if programs are installed, or files are saved to the desktop, all that goes away with the next reboot and the computer is restored to how it was. I know some internet cafe's use stuff like that but I haven't played with it much.

Hope this helped.

Yes, that helps out a ton! I thought I was in for a day of reading and a couple days of playing around .. sigh of relief.

I will definitely check into DeepFreeze. I also found someone who wrote a program off of XP's shutdown.exe. Its called AutoShutdown.exe. I tried it and it works. So with DeepFreeze and AutoShutdown, clients can leave there computers Logged Off when leaving work, and all can be set to shutdown at a time during the night so DeepFreeze can do its task.

One other question. How would I restrice access to browsing the clients comptuer (windows box) to the %systemroot% folder? I'm sure you are going to tell me to read up on the roaming profile, which I do need to, but thought I would ask in case I'm wrong.

P.S. AutoShutDown is here.

Thanks again for all the help guys!

ziggy