We have a single PC that requires the following accounts:
- 2x Admin accounts for each named responsible administrator (That's me and my boss). The accounts have to be associated with our names for security logging as per the company policy.
- Nx User accounts which are all locked down to prevent right clicking the desktop, accessing the control panel, visiting any more than one specific web-site etc. (This PC is ultra secure for processing of credit card data and these restrictions are mandated by security policy)
Most of the time the PC will be used by one bog-standard user who will operate the machine all day. They have their own PC which falls outside of our secure network provisioning where they will do most of their work in the day. Hence the configuration should be set to make the screensaver come on after two idle minutes and require a password to unlock the machine.
Here's the killer. Although the gpedit.msc will allow us to configure such a policy for the administrators it doesn't apply to the locked down users and you can't change the settings while logged in as a locked down user. Is it possible to force this policy across all accounts on the machine from an administrator's account? Or do we have to go through the lengthy process of reversing the lockdown on user accounts, having them log in, setting the policy for their user and then locking the account down again?
EDIT: Paper policies prohibit me from downloading software, plugging in key drives or installing new software on the box without going through a very long paper trail. Whatever the solution to this is it has to be something I do by entering changes into the OS manually, so registry edits are acceptable but GUI based actions are preferable as I'm really a software developer not a networks guy or systems administrator. The simpler the better, basically.
Best Answer
read the following
http://blogs.technet.com/b/fdcc/archive/2008/05/07/lgpo-utilities.aspx