Need a little advice on mandatory profile setup

So, I have been tasked with setting up a mandatory profile for non employees who use our workstations. The mandatory profile should only have Internet explorer and adobe reader in the start menu and nothing else. The profile should also exclude the desktop. For the most part the mandatory profile works but the issue i'm running into is that "all users" items from C:\documents and settings\all users\desktop and C:\documents and settings\all users\start menu are showing up in the mandatory profile. These workstations are running windows XP and I am not to use GPOs to get this done. How can I hide the all users stuff from accounts that log in with the mandatory profile. This profile is on a network share and the profile path is set in AD for these users.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Tackle

Security Permissions on the All users folder maybe?

Claymoore

CodeBlox wrote: »

These workstations are running windows XP and I am not to use GPOs to get this done.

Here's a stack of wood and a box of nails, but you can't use a hammer to build anything.

A GPO is the tool to get this done. If you want this kiosk to be a standalone workstation and not domain joined, you can still use local group policy to configure the settings. Not only does a GPO adjust the settings, it enforces them to either prevent changes or will reapply the settings.

You should consider running Internet Explorer in kiosk mode as the shell instead of Explorer. You will still need to lock down other settings other objects like Task Manager and the command prompt to prevent users from browsing/launching other applications. If you were running a modern operating system you could use AppLocker and restrict applications further.

Internet Explorer Kiosk « The Lazyadmin.com
How to use Kiosk Mode in Microsoft Internet Explorer
AppLocker Policies Deployment Guide

CodeBlox

LOL! It's not a Kiosk for just anyone to use. What I AM gonna do today is restrict the user to that one workstation and delete the all users stuff.

CodeBlox

Bump... Any other thoughts about hiding "all users" stuff from a single user or should I resort to prodding around in the registry for HKCU?

Repo Man

Can you use local GPO's?

What about setting the folder to hidden then doing a local GPO to disable folder options?

drkat

Are the users logging into the machine the same group of people and are they sharing a common logon?

CodeBlox

I don't see any issue with local GPOs, I just don't think the sys admins are gonna use GPOs in the domain (He's saying it used to work without GPO until someone messed it up). These are different people logging into different workstations. They all are in their own OU in AD.