Without an AD domain, you're more limited in distributing such local group policies among applicable devices. If there would still remain valid reasons for not having these computers being part of a domain, even not a domain these users may create at their home without you knowing, then you still have the option of group policies. And I don't know if such undisclosed reasons are valid. Being used for home office is not a reason. I still don't know the reasons why these computers shall not be nor remain part of a domain. Spicehead-y1lee wrote:I was also thinking of joining the computer to the domain, getting the policies - remove from domain and then sysprep but I am not really sure if that will work, or if it's the correct way. If your company has so many devices that an AD domain (or forest) is better for IT management than alternate IT means, why does your company not want these home office computers join a company domain, and allow so many computers off such domains?.And I hope your company rules made sure that such an administrator account is not accessible to his one local user account, only accessible to your IT team and your MDM solution. Spicehead-y1lee wrote:The computer will have one "User" account and Administrator one, I guess.ĭon't guess. It would be best if you could enroll them in something like Intune (part of Office 365's licensing) but domain joined devices work just fine over VPN as long as the VPN uses the domain controllers for its DNS Your remote users are presumably going to be needed to connect to vpn anyway to do their work. Just force the users to connect via VPN to your domain network and continue managing them via GPO and domain joining them. A work from home or any remote computer should be treated and managed exactly the same as any in office computer. You are approaching the problem wrong in my mind.
Chrome policy pgedit Pc#
You state you can't use group policy to restrict Chrome because of a lack of domain, but then state you are restricting the other browsers on the PC by GPO? So why can't you use GPO for Chrome? *I was also thinking of joining the computer to the domain, getting the policies - remove from domain and then sysprep but I am not really sure if that will work, or if it's the correct way. The computer will have one "User" account and Administrator one, I guess. I know that physical access can unlock them but I don't think any of the user has that kind of knowledge. Is there any tip? That computers will be send as home office and they need to be pretty locked. I will also be disabling every other browser via group policy, block access to hard drives, program installation and so on. What I am trying to do is, lock the browser so that the user can't change the settings/access only 3-4 websites. I tried using Google policy ADMX but most of the setting won't work without a domain.
Chrome policy pgedit windows 10#
I want to create a windows 10 image, that will cripple google chrome installation.
Chrome policy pgedit free#
Easier to control, and essentially free of charge. If you have an old server or VM available, go tweak it to your requirements, create profiles for these users with limited permissions and only grant them access to whatever they need to see. They will surprise and shock you every single time.Īlternative option would be to lock the OS down completely and only allow them access to VPN and a RDP shortcut.
Just remember: Do not underestimate the stupidity of bored users with time on their hands and nobody looking over their shoulders. depends on what tools you have at your disposal. You could still add Group Policies via GPEdit without having to add the machine to the domain, but this is a lot of effort, time and testing to lock it down this way.
Restrict their permissions as much as you can (more than you would in a normal scenario). I suppose if you really feel like doing this the long way around, you could go fiddle with the firewall settings on the machine, block everything and allow exceptions for the 3 websites you would like the users to access. I used the admx template after all, I think I did a great improvment. Once you have applied policies to Chrome, use chrome://policy/ on an administered browser to verify what is actually being applied. If you want Machine-wide policies, we found also applying to user not only was fine, but was sometime necessary.
Also there sometimes were errors in the past in documentation of Machine Policies vs User. Some settings may not work without the Enterprise version, but I believe this is usually stated in the documentation. You'll see much talk of needing an admin panel or ADM templates or a domain or Group Policy or the Enterprise version, but we have none of these, and it works fine. This is an old policy, so some settings may be deprecated or changed. "DefaultBrowserSettingEnabled"=dword:00000000 Text Windows Registry Editor Version 5.00
0 kommentar(er)
