A Quick Tip To Prevent Users From Accessing The Computer Tab

You may need to prevent your users from accessing the Computer Tab on My Computer property for security or some other reason. There is no any Group Policy setting available to disable this but you can set the permissions on the NetID.DLL file which implements the necessary functions to show this Tab on My Computer property. You need to use the steps mentioned below to do so:

Steps:

• Search NetID.DLL file on the local computer.
• Remove or set the following permissions to hide the Computer Tab.

Administrators - Full Control
Power Users - Read & Execute, Read
System - Full Control

The default NTFS permissions are:

Administrators - Full Control
Power Users - Read & Execute, Read
System - Full Control
Users - Read & Execute, Read

Note: You can also create a script to deploy the permissions set on NetID.DLL using the Group Policy.

What To Check If A Single User Can't Log On To Domain?

Sometimes a single user might be not able to log on to domain. You can follow the checklist given below:

Make sure:

• You can ping the domain controller from the user's computer. 
• There is no white space in the User's Home Profile in User's Property > Check it using the DSA.MSC.
• The user computer is configured with the correct DNS Server to find the domain controller > Check in TCP/IP property of the user's computer.
• The Computer Account in the domain for the user's computer is not missing > Check using the DSA.MSC
• The Computer Account in the domain is not disabled > Check using the DSA.MSC
• The Time between the domain controller and the client computer is synchronized > Check using Net Time command.
• The Domain Controller can be found > Check environment variables and check "LOGONSERVER" value or execute Nltest /DsGetDc:domain to re-locate the domain controller for the user.

Using the Remote Desktop Client from the Command Prompt

The Microsoft remote desktop client can be found in %systemroot%/system32/mstsc.exe. Running this program with no extensions will bring up the remote desktop connection program. However, mstsc.exe has a full set of switches that can be used to accomplish things from the command prompt.

mstsc.exe {ConnectionFile | /v:ServerName[:Port]} [/console] [/f] [/w:Width/h:Height]

/v - specifies the remote computer and port (optional) you wish to connect to
/console – connects to the console of a Windows Server 2003 based system
/f – starts the remote desktop connection in full screen mode
/w & /h – specifies the width and height of the remote desktop connection

This can be very useful in creating batch files to use as quick routes to machines with a particular group of settings. For instance, mstsc.exe can be called from a batch file enforced by group policy to run at startup for machines that need to connect directly to a terminal server for use.

Disabling the RunAs Command

For standalone Windows XP machines in a workgroup environment, you can disable Run As by hacking the Registry. Simply use Regedit.exe to locate the following key on each machine:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

Then create a new DWORD value named HideRunAsVerb and assign it a value of 1. 

In a domain environment, you can disable RunAs using the Software Restriction Policies feature of Group Policy. To do this, open the appropriate GPO in the Group Policy Object Editor and locate the following node in the console tree:
Computer Configuration/Windows Settings/Security Settings/Software Restriction Policies

Right-click on this node and select New Software Restriction Policies, then right-click on Additional Rules and select New Path Rule. Now type the path to runas.exe and make sure the policy is set to disallowed. 

If you prefer to apply this policy to specific users instead of computers, use a GPO linked to an OU where the user accounts reside and configuring Software Restriction Policies using User Configuration instead of Computer Configuration, such as:

User Configuration/Windows Settings/Security Settings/Software Restriction Policies