我是一个没有sysadmin的开发人员，但我最近被要求锁定工作站 - 就停止用户添加软件而言。我按照在GPO中为受限制的集团类别添加域管理员和特定用户的在线文章，现在所有地狱都有破碎的乐曲。我有无法更改无法启动的时间，访问MyDocuments和服务器服务的用户。服务器最令人困惑，因为服务设置为使用域管理员成员的帐户运行。
I am a developer not a sysadmin but I was recently asked to lock down the workstations - in terms of stopping users from adding software. I followed the online articles on adding domain admins and specific users to the restricted group category in the GPO and now all hell has broken looose. I have users that cannot change the time, access mydocuments and server services that cannot start. The servers are most puzzling as the services are set to run with accounts that are members of domain admins.
I am now faced with regressing the GPO policy which does not seem to have a long-term affect and then address the issue all over again.
Ok, you need to approach this carefully rather than just leap in. You wouldn't just sit down and code without thinking of what you were trying to achieve, and nor would you roll out untested code into an enterprise environment? This is no different. Once you've removed/reverted all the changes you've made...
Firstly, do not change the default domain policy. About the only thing you might want to change here is password security settings (and I'm sure someone will be along shortly to tell you I'm wrong there too and you shouldn't do that either...).
I suggest that you don't lock things down unless you really need them locked down. You need to think about what the exact problem is that you have been asked to solve when you were told to "lock down the workstations" and concentrate just on things that will help solve that problem rather than disabling everything in site; which, forgive me, it sounds like you've done. If you're unsure what the objectives are for "locking down the workstations" then get clarification... aside from anything else people in different jobs need different levels of "openness" - there's a big difference between what's appropriate for a sales agent in a big company who only ever runs a web browser, an email client and a bespoke sales package and a developer, for example.
Create a OU structure that reflects the business, along the lines where it might be logical to group machines and possibly users too. Think and plan what you are trying to achieve, how it might apply to different groups of computers and of users, think about any "exceptions". Take some time doing this.
Set GPOs at these levels and use separate GPOs for user settings and machine settings - e.g. you might have a structure like this
............. Network Admins
Yeah I know, lousy diagram but understandable I hope?
So you might apply settings that you want everyone to have at the "My Org" level, settings you want everyone in the IT function to have at the "IT" level, and at the "Sales" and "Developers" level you might have a few machine GPOs that install software used on machines in that department.
Don't over-complicate things; the structure I outline above is clearly overkill for a small business with 8 people in it, 4 of whom are all developers and which doesn't have a separate "network admins" function... but it gives an idea of how things might be reasonably laid out.
With things set up the way you want, create a test user and a test computer (virtualisation is your friend) to place in various OUs so you can test how things work. Don't move real users and real computers into this structure until you understand how the settings work and interact with each other and until you're reasonably sure you've got some good baseline settings.
Lastly, document everything you do. GPOs are somewhat self documenting, but it's still wise to have notes.