Restricting user accounts

basmic · 20 Nov 2006 at 17:04

Bascially I was asked to reinstall a computer, because another user treat the machine as their own and trashed the software installed on it to the extent it needed reinstalling.

So I decided to create three acounts: Mine, Computer owner, and the "user" shall we call him.

Obviously mine and computer owner accounts are administrators, password protected. I set the "user" to a limited account.

But I really want to button up his account, so all he can do is use the internet, MSN - if he wants software installing, it is done under the computer owner's account or my own.

I'm not too familiar with restricting user accounts. So some guides/links would be much appreciated. Alongside with some personal experience, if possible.

Thanks!

Kerplunk · 20 Nov 2006 at 17:52

IIRC There is a a program called Admin PC which is quite good, free downloadd to i think.

Give that a go, and have a play.

Edit, free trial it is actually, are you willing to pay?

Burnsy2023 · 20 Nov 2006 at 19:19

You may be able to resrict it using the Local Secuity Account Policies MMC snap in.

Burnsy

Trigger · 20 Nov 2006 at 21:01

If you're using XP Pro then you can restrict pretty much everything although be careful- these restrictions will also apply to you. There is a way around it though- when you have set the policies, do not log off and immediatley set deny access on the group policy folder in the system32 directory to yourself and the computer owner account. To modify the policies though you will have to reinstate your access.

Doing this though will ensure that you have full access but he has all the policy restrictions in place

basmic · 20 Nov 2006 at 23:25

Thought there might be some sort of software where you just select a user, lockdown their account as felt fit, and job's done.

Mr Blonde · 21 Nov 2006 at 01:59

The MS Shared Computer Toolkit should let you do it :
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx

basmic · 21 Nov 2006 at 11:46

Mr Blonde said:
The MS Shared Computer Toolkit should let you do it :
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx

Unfortunately I am unable to complete the validation process.

Captain Fizz · 21 Nov 2006 at 15:41

Trigger said:
Doing this though will ensure that you have full access but he has all the policy restrictions in place

Ooh - Much handyness. Cheers.

And the policies are accessed via:
Start -> Run -> gpedit.msc

That can lock down anything.
(Even hide the C: )

You can even set it so it will only run specified EXE's.
Add all the system exe's, MSN and IE. Job done.
He can't even install stuff as it will not have the correct filename.

basmic · 21 Nov 2006 at 17:26

In all honesty, I'm not even sure where to start looking in Gpedit.

Any pointers, or just toy around?

Captain Fizz · 21 Nov 2006 at 18:43

basmic said:
Any pointers, or just toy around?

Administrative templates.
Then just toy around.

Trigger · 21 Nov 2006 at 18:59

basmic said:
In all honesty, I'm not even sure where to start looking in Gpedit.

Any pointers, or just toy around?

All of the interesting stuff is in User Configuration > Administrative Templates. Look around Windows Components > Windows Explorer and the System folder for the basic things to lock down- no right click, no cmd, no regedit etc

Just ensure to set deny permissions to yourself on the group policy folder BEFORE you log off or you could seriously fubar your system

sniper007 · 5 Dec 2006 at 10:28

Trigger said:
All of the interesting stuff is in User Configuration > Administrative Templates. Look around Windows Components > Windows Explorer and the System folder for the basic things to lock down- no right click, no cmd, no regedit etc

Just ensure to set deny permissions to yourself on the group policy folder BEFORE you log off or you could seriously fubar your system

Hey Trigger, Ive just read your above comments in this thread and Im well impressed! I didnt think of that! Of course....now that I do it seems such an obvious thing to miss. See I have also been trying to lock down my own machine for my little girl and I've been mucking around with that Shared Computer Toolkit as well and modifying things in a bit of a bodge way...the method you mention is a great way of doing it and gives huge amounts of lockdown options WITHOUT affecting selected users you deny it to. Sorted!
Although I have to say Im a bit worried about doing it! If you did forget to click to deny to yourself and you logged off and let it take affect, I can't think of a way back at all? Problem is, if you do all of these GP modifications and lockdowns I thought some of them took affect straight away....would it not be hard to finish off the job whilst in affect crippling yourself as you lock it down? Because as you say, you cant deny it to the person modding the GP until it's complete otherwise they cant modify it. Also, what happens if you include the lockdown of not being able to run gpedit.msc and then you you want to go back in and change the gp....say you take yourself out of the deny option so you can mod it....but oh hang on...you cant mod it because its now in affect and you cant run gpedit....

You see what Im saying?

Bit dangerous and surely can only be done once and thats it? Or am I missing something?

Trigger · 5 Dec 2006 at 13:31

sniper007 said:
Although I have to say Im a bit worried about doing it! If you did forget to click to deny to yourself and you logged off and let it take affect, I can't think of a way back at all?

Simple answer, there isn't one which is why I've said be VERY careful doing it all along

sniper007 said:
Problem is, if you do all of these GP modifications and lockdowns I thought some of them took affect straight away....would it not be hard to finish off the job whilst in affect crippling yourself as you lock it down? Because as you say, you cant deny it to the person modding the GP until it's complete otherwise they cant modify it.

Policies aren't applied straight away- they take a while to filter through so don't rush- you need to think carefully about the policies you apply because some may cause big problems like not allowing the running of gpedit.msc so ensure this policy is not set.

sniper007 said:
Also, what happens if you include the lockdown of not being able to run gpedit.msc and then you you want to go back in and change the gp....say you take yourself out of the deny option so you can mod it....but oh hang on...you cant mod it because its now in affect and you cant run gpedit....

As above, the policies won't apply for a fairly lengthy time or unless you tell them to by a gpupdate /force for example so you will be allowed to edit it, then set deny permissions again.

Try it on a spare machine if possible first- give you a chance to play around with it and if you muck up, you can always reinstall

Ben