Using Group Policies to lock down a workstation on a domain is time consuming but generally pretty simple. There are, however, exceptions.
One thoroughly frustrating items is hiding/removing the Network icon from Windows Explorer. I found plenty of references online on how to do this, but they weren’t user specific. You modify a COMPUTER policy which means ALL users are affected, not just the user account you want to lock down. As soon as the new policy is applied (triggered by the restricted user logging in) the Registry key is applied to the HKEY_LOCAL_MACHINE. This works to limit the restricted user, but it then completely limits every other unrestricted user who logs into a shared PC.
I did some testing and found this key will work to hide the Network icon from Windows Explorer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
REG_DWORD Value 0x1
When manually applied (a reboot is required) the user this is applied to will no longer see the Network icon in Windows Explorer. You have to create the \NonEnum key and populate the key with the {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} DWORD entry. It’s not there by default.
Trying to get this to apply with a Group Policy seems to be very difficult.
I’m still working on getting this to work for a client. When I have it finalized I’ll document the process here so anyone who finds this blog won’t experience the same frustrations I did.
— UPDATE —
I completed the GPO and confirmed that everything is working.
COMPUTER CONFIGURATION
Policies
Windows Settings
Security Settings
System Services
Computer Browser (Startup Mode: Disabled)
Permissions – No permissions specified
Auditing – No Auditing specified
Registry
USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies
Configure this key then: Propagate inheritable permissions to all subkeys
ADD –> Allow BUILTIN\Users – Full Control to This key and subkeys
Administrative Templates
Network/Network Connections
Policy – Do not show the “local access only” network icon – Enabled
Network/Offline Files
Policy – Allow or Disallow use of the Offline Files Feature – Disabled
Policy – At logoff, delete local copy of the users’s offline files – Enabled
Policy – Enable file synchronization on costed networks – Disabled
Policy – Enable Transparent Caching – Enabled (leave default settings)
Policy – Prevent use of Offline Files folder – Enabled
Policy – Prohibit user configuration of Offline Files – Enabled
Policy – Remove “Make Available Offline” command – Enabled
Policy – Remove “Work Offline” command – Enabled
Policy – Synchronize all offline files before logging off – Disabled
Policy – Synchronize all offline files when logging on – Disabled
Policy – Synchronize offline files before suspend – Disabled
Policy – Turn off reminder balloons – Enabled
User Configuration
Policies
Windows Settings
Folder Redirection – for brevity will consolidate listed settings as they are all exactly the same for each redirected folder
AppData (Roaming)
Contacts
Desktop
Documents
Downloads
Favorites
Links
Music
Pictures
Saved Games
Searches
Start Menu
Videos
On my networks I create two user shares – \\servername\user_data and \\servername\profile_data$ (hidden share). I put all the Documents and related folders in the user_data folder and put all the other profile folders in the profile_data$ hidden share.
I never give exclusive access to any user folder to the user
I always set Policy Removal Behavior to Restore Contents (helpful if you ever want to change the path to these redirected folders to another server)
Administrative Templates
Control Panel
Policy – Prohibit access to Control Panel and PC Settings – Enabled
Control Panel/Personalization
Policy – Enable Screen Saver – Enabled
Policy – Force a specific visual style file or force Windows Classic (if you don’t specify anything it defaults to Windows Classic)
Policy – Password protect the screen saver – Enabled
Policy – Prevent changing screen saver – Enabled
Policy – Screen saver timeout – Enabled (set to 900 seconds)
Desktop
Policy – Do not add shares of recently opened documents to Network locations – Enabled
Policy – Do not save settings at exit – Enabled
Policy – Hide Internet Explorer icon on desktop – Disabled
Policy – Hide Network Locations on desktop – Enabled
Policy – Prevent adding, dragging, dropping, and closing the Taskbar’s toolbars – Enabled
Policy – Prohibit adjusting desktop toolbars – Enabled
Policy – Prohibit User from manually redirecting Profile Folders – Enabled
Policy – Remove Computer icon on the desktop – Enabled
Policy – Remove My Documents icon on the desktop – Enabled
Policy – Remove Properties from the Computer icon context menu – Enabled
Policy – Remove Properties from the Documents icon context menu – Enabled
Policy – Remove Properties from the Recycle Bin context menu – Enabled
Policy – Remove Recycle Bin icon from desktop – Enabled
Policy – Remove the Desktop Cleanup Wizard – Enabled
Desktop/Desktop
Policy – Disable Active Desktop – Enabled
Policy – Enable Active Desktop – Disabled
Network/Network Connections
Policy – Ability to Enable/Disable a LAN connection – Disabled
Policy – Prohibit access to properties of a LAN connection – Enabled
Policy – Prohibit access to properties of components of a LAN Connection – Enabled
Policy – Prohibit access to the Advanced Settings item on the Advanced menu – Enabled
Policy – Prohibit access to New Connection Wizard – Enabled
Policy – Prohibit Enabling/Disabling components of a LAN connection
Policy – Prohibit TCP/IP advanced configuration
Network/Offline Files
Policy – Error logging level (set to 3)
Policy – Prevent use of Offline Files Folder – Enabled
Policy – Prohibit user configuration of Offline Files – Enabled
Policy – Remove “Make Available Offline” command – Enabled
Policy – Specify administratively assigned Offline Files – set to the same location you set your folder redirections (\\server\user_data \\server\profile_data$)
Policy – Synchronize all offline files before logging off – Enabled
Policy – Synchronize all offline files when logging on – Enabled
Policy – Turn off reminder balloons – Enabled
Shared Folders
Policy – Allow DFS roots to be published – Disabled
Policy – Allow shared folders to be published – Disabled
Start Menu and Taskbar (This is a big one)
Policy – Add “Run in Separate Memory Space” check box to Run dialog box – Enabled
Policy – Add Logoff to the Start Menu – Enabled
Policy – Add Search Internet link to Start Menu – Disabled
Policy – Add the Run command to the Start Menu – Disabled
Policy – Change Start Menu power button – Enabled (Choose one of the following actions – Log off)
Policy – Clear history of recently opened documents on exit – Enabled
Policy – Clear history of tile notifications on exit – Enabled
Policy – Clear the recent programs list for new users – Enabled
Policy – Do not allow pinning items in Jump Lists – Enabled
Policy – Do not allow pinning programs to the Taskbar – Enabled
Policy – Do not allow pinning Store app to the Taskbar – Enabled
Policy – Do not allow taskbars on more than one display – Enabled
Policy – Do not display any custom toolbars in the taskbar – Enabled
Policy – Do not display or track items in Jump Lists from remote locations – Enabled
Policy – Do not keep history of recently opened documents – Enabled
Policy – Do not search communications – Enabled
Policy – Do not search for files – Enabled
Policy – Do not search Internet – Enabled
Policy – Do not search programs and Control Panel items – Enabled
Policy – Do not use the search-based method when resolving shell shortcuts – Enabled
Policy – Do not use the tracking-based method when resolving shell shortcuts – Enabled
Policy – Go to the desktop instead of Start when signing in – Enabled
Policy – Gray unavailable Windows Installer programs Start Menu shortcuts – Enabled
Policy – Hide the notification area – Disabled
Policy – Lock all taskbar settings – Enabled
Policy – Lock the Taskbar – Enabled
Policy – Prevent changes to Taskbar and Start Menu Settings – Enabled
Policy – Prevent users from adding or removing toolbars – Enabled
Policy – Prevent users from customizing their Start Screen – Enabled
Policy – Prevent users from moving taskbar to another screen dock location – Enabled
Policy – Prevent users from rearranging toolbars – Enabled
Policy – Prevent users from resizing the taskbar – Enabled
Policy – Prevent users from uninstalling applications from Start – Enabled
Policy – Remove access to the context menus for the taskbar – Enabled
Policy – Remove All Programs list from the Start menu – Disabled
Policy – Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands – Enabled
Policy – Remove Balloon Tips on Start Menu items – Enabled
Policy – Remove Clock from the system notification area – Disabled
Policy – Remove common program groups from Start Menu – Disabled
Policy – Remove Default Programs link from the Start menu. – Enabled
Policy – Remove Downloads link from Start Menu – Enabled
Policy – Remove frequent programs list from the Start Menu – Enabled
Policy – Remove Games link from Start Menu – Enabled
Policy – Remove Help menu from Start Menu – Enabled
Policy – Remove Homegroup link from Start Menu – Enabled
Policy – Remove links and access to Windows Update – Enabled
Policy – Remove Logoff on the Start Menu – Disabled
Policy – Remove Music icon from Start Menu – Enabled
Policy – Remove Network Connections from Start Menu – Enabled
Policy – Remove Network icon from Start Menu – Enabled
Policy – Remove pinned programs from the Taskbar – Disabled
Policy – Remove programs on Settings menu – Enabled
Policy – Remove Recent Items menu from Start Menu – Enabled
Policy – Remove Recorded TV link from Start Menu – Enabled
Policy – Remove Run menu from Start Menu – Enabled
Policy – Remove Search Computer link – Enabled
Policy – Remove Search link from Start Menu – Enabled
Policy – Remove See More Results / Search Everywhere link – Enabled
Policy – Remove the “Undock PC” button from the Start Menu – Enabled
Policy – Remove the Action Center icon – Enabled
Policy – Remove the battery meter – Enabled
Policy – Remove the networking icon – Enabled
Policy – Search just apps from the Apps view – Disabled
Policy – Show “Run as different user” command on Start – Disabled
Policy – Turn off all balloon notifications – Enabled
Policy – Turn off automatic promotion of notification icons to the taskbar – Enabled
Policy – Turn off feature advertisement balloon notifications – Enabled
Policy – Turn off notification area cleanup – Enabled
Policy – Turn off personalized menus – Enabled
Policy – Turn off user tracking – Enabled
System
Policy – Don’t run specified Windows applications – Enabled – specify “powershell.exe”
Policy – Prevent access to registry editing tools – Enabled
Policy – Prevent access to the command prompt – Enabled
Policy – Restrict these programs from being launched from Help – Enabled – specify “powershell.exe”
Windows Components/Desktop Gadgets
Policy – Turn off desktop gadgets – Enabled
Policy – Turn off user-installed desktop gadgets – Enabled
Windows Components/File Explorer
Policy – Do not request alternate credentials – Enabled
Policy – No Computers Near Me in Network Locations – Enabled
Policy – No Entire Network in Network Locations – Enabled
Policy – Remove “Map Network drive” and “Disconnect Network Drive” – Enabled
Windows Components/Internet Explorer/Browser menus
Policy – Tools menu: Disable Internet Options… menu options – Enabled
Windows Components/Internet Explorer/Internet Control Panel/Security Page
Policy – Turn on automatic detection of intranet – Enabled
Windows Components/Internet Explorer/Internet Settings/Advanced settings/Internet Connection Wizard Settings
Policy – Start the Internet Connection Wizard automatically – Disabled
Windows Components/Network Sharing
Policy – Prevent users from sharing within their profile – Enabled
Preferences
Windows Settings
Registry
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} (Order 1)
General
Action = Replace
Hive = HKEY_CURRENT_USER
Key path = SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum
Value name = {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Value type = REG_DWORD
Value data = 0x1 (1)
Common
Stop processing items on this extension if an error occurs on this item = No
Run in logged-on users’s security context (user policy option) = No
Remove this item when it is no longer applied = Yes
Apply once and do not reapply = No
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} (Order 2)
General
Action = Create
Hive = HKEY_CURRENT_USER
Key path = SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum
Value name = {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Value type = REG_DWORD
Value data = 0x1 (1)
Common
Stop processing items on this extension if an error occurs on this item = No
Run in logged-on users’s security context (user policy option) = No
Remove this item when it is no longer applied = Yes
Apply once and do not reapply = No
Control Panel Settings
Internet Settings
Internet Explorer 10: Internet Explorer 10 (Order 1) – there’s a lot of options – leave them alone and attack the Proxy Configuration (set to 127.0.0.1)
– remember to bypass Proxy for local connections and set “Do not use proxy servers for addresses beginning with” to your local LAN IPs and domain(s)
Repeat this configuration and it’s variations for all versions of Internet Explorer listed.
Also, what’s not mentioned is that Internet Explorer 10 is for version 10 and above (including Microsoft Edge)
Woah that’s a lot! However, this configuration will give the restricted local user access to any applications installed to the PC, any printers installed to the PC, and any user generated data. This will prohibit access to all local drives (including C:\ Drive, DVD-ROM drives, USB drives), Network locations (other PC’s or servers on the network) and network drives except those specifically assigned to this user. I didn’t see the point in mapping the user home folder because with the folder redirection all the data (re)locations are completely transparent to the end user. They don’t know that their Desktop folder is not physically located on this workstation.
If you actually read the whole post and reviewed every setting you may see there is some ambiguity. I realized as I wrote this that the Computer policy prohibits use of Offline Files and Folders while the User policy turns it on. Typically the Computer policy will override the User policy so the User policy settings turning on Offline Files and Folders is redundant. I should probably fix that.
When it comes to Offline Files and Folders, on a local PC to the LAN it’s probably better to keep it all turned off. If, however, the shared unit is a notebook/laptop, it’s better to turn them on.
Using the redirected folders makes it easier for an administrator to then add items to the user desktop, documents (pictures, music, videos), and start menu by accessing the home folder on the server share, and to make that share accessible to other management users.
Finally, one additional setting can be set to lock the system down even further – Start Menu and Taskbar – remove access to All Programs. This restricts the user to whatever desktop shortcuts to local applications you want the user to have access to. Since this is probably a domain-joined and therefore shared computer, it may have applications installed that you don’t want the restricted user to have access to.
