Windows XP User Account - restrict access?

By koocha
in Microsoft (Windows)

 Share

Recommended Posts

Collaborator

koocha

Posted
Posted (edited)

Hi

I'd like to create a new user account on a Win XP Pro computer that will only allow access to 1 program + printer, but I don't know how to do it. I know it can be done in win 2000 because I've used a machine configured like that.

It's so that there's hardly any chance of the machine breaking by user error. I've tried having a fiddle but I can't do what I want to.

I'd like the computer to logon automatically to the account with the administrator account being hidden (no welcome screen).

Any idea on how I can do this?

Cheers

Tim

EDIT: I've played with the stuff in MMC but it's not what I'm after. I want to stop users changing the wallpaper, screensaver, etc and remove things from the start menu

Edited by koocha
Experienced

Caledai

Posted
Posted

Do not use (Group Policy Editor) gpedit.msc on a standalone machine or a workgroup machine not connected to a domain.

If you do in either of these situations - then you will find that any settings you enforce via gpedit.msc will affect all users - including the administrator.

To enfore policies per user - you need to be on a domain, and set the policies up on the AD Server.

Grand Master

accesser

Posted
Posted

Perhaps this might help

post-63776-1111572214_thumb.jpg

  Quote
Limits the Windows programs that users have permission to run on the computer.

If you enable this setting, users can only run programs that you add to the List of Allowed Applications.

This setting only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.

Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. Note: To create a list of allowed applications, click Show, click Add, and then enter the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).

Proficient

Unksi

Posted
Posted
  Quote
EDIT: I've played with the stuff in MMC but it's not what I'm after. I want to stop users changing the wallpaper, screensaver, etc and remove things from the start menu

You can stop removing things from desktop/start menu by putting them to profile "All users" as administrator. That way when one tryes to remove those with limited user account, one will get "Permission denied." warnign message.

Mentor

+orgitnized Subscriber¹

Posted
  • Subscriber¹
Posted
  caledai said:
Do not use (Group Policy Editor) gpedit.msc on a standalone machine or a workgroup machine not connected to a domain.

If you do in either of these situations - then you will find that any settings you enforce via gpedit.msc will affect all users - including the administrator.

To enfore policies per user - you need to be on a domain, and set the policies up on the AD Server.

585657214[/snapback]

Sorry but you are incorrect. The policies are enforced for the user you are logged in as when applying the GP's. I've told many a neowin member this information already. I even made a video on this for people who wanted more information.

The easiest way is being on a domain, but it is definitely not a requirement. Try it out for yourself. Make a bogus account and give it admin rights. Login as the new account and run gpedit.msc. Make changes to what the user can and cannot do.

Logoff and login as you. There will be no restrictions on your account. If there are, you are applying your GP's incorrectly.

Collaborator

koocha

Posted
  • Author
Posted

Hi

I've got a problem. I applied the GPs as I wanted them, logged off and on as me - but they're all there with me too. Now I can't access the gp editor to change anything back. I can't do anything! I managed to launch IE by a shortcut (because I has restricted it) and that's how I'm here. Tried logging in as the computer administrator but the same!

Any help would be much appreciated!

Tim

Collaborator

koocha

Posted
  • Author
Posted

I'm half way there I think. I got into my system32 directory and cut the grouppolicy folder and pasted it on the root of c:. I rebooted and now I've got accesss to everything again, but I've got no desktop or programs running in the taskbar. I've had a look in gpedit.msc and everything says Not Configured.

So now the question is - how do I get everything back to how it should be?

Thanks

Tim

Experienced

Caledai

Posted
Posted
  Ghost96 said:
Sorry but you are incorrect.  The policies are enforced for the user you are logged in as when applying the GP's.  I've told many a neowin member this information already.  I even made a video on this for people who wanted more information.

The easiest way is being on a domain, but it is definitely not a requirement.  Try it out for yourself.  Make a bogus account and give it admin rights.  Login as the new account and run gpedit.msc.  Make changes to what the user can and cannot do.

Logoff and login as you.  There will be no restrictions on your account.  If there are, you are applying your GP's incorrectly.

585659152[/snapback]

Unfortunatly what I said is true. It happened to me - and I did attempt to configure a second user account - while logged in under that account. Go to the main account that I use - hmm, I was restricted - just like koocha found out. I solved the problem because I hadn't locked it down that tight yet, and then installed aston shell on the computer, and set that account to aston - with its own profile - and then locked down aston.

I know the computer wide settings should also apply to my account - but the ones i configured in the "User" settings area also applied to my account.

If you tell me how to avoid that it would be appreciated though. The only way I can think of is to disable gpedit for my account as i desc below - and leave it active for the second account.

  koocha said:
I'm half way there I think. I got into my system32 directory and cut the grouppolicy folder and pasted it on the root of c:. I rebooted and now I've got accesss to everything again, but I've got no desktop or programs running in the taskbar. I've had a look in gpedit.msc and everything says Not Configured.

So now the question is - how do I get everything back to how it should be?

By now desktop or programs in task bar - what do you mean. If you open up windows explorer - does it show up as being active. Or are you talking about the icons you can put into the quicklaunch bar next to the start menu not being there.

As to the desktop - Go into gpedit.msc and go into the properties of the local computer policy. Select both options to disable settings. See if this helps.

Grand Master

John Veteran

Posted
  • Veteran
Posted
  koocha said:
SORTED IT!

585661491[/snapback]

Now you know to be more careful with group policies ;)

FYI - The policies under Computer Configuration apply to the machine, not any specific user. The policies under User Configuration apply to the current user only.

Also, you may want to try adding that user to the Guests group. That will restrict them quite a bit (Y)

Collaborator

koocha

Posted
  • Author
Posted

Everything I edited was in the User Configuration when logged on as my test account. It just happened to set the same settings for all of the users on the machine!

I got into Internet Explorer through a link to Yahoo Pictures in my "my pictures" folder, and in the address bar typed c:\

That got me onto my hard drive and I navigated to the system32 folder, cut the grouppolicy folder and pasted it into c: (so I had it still but it wasn't where it should be)

rebooted and there we have it.

If someone has a guide of how to do things properly, please let me know where it is.

Cheers, Tim

Mentor

+orgitnized Subscriber¹

Posted
  • Subscriber¹
Posted

caledai and koocha,

You should look at checking out some past posts here:

Start here-->and then go here

Check out the video that I made in one of the posts. If you've done it all to a T but you still have the same issues (never experienced what you guys are running into once in my life) then check out Joel's Suggestion from the second link I gave you guys.

It should help out. Let us know. :yes:

Collaborator

koocha

Posted
  • Author
Posted

Hi again

I had a play and disabled all the tabs in internet explorer options apart from the programs tab. I logged off and logged back on as the test account and hey presto! only the programs tab.

So I logged off and logged on as me. Hey presto! Just the programs tab for me too!

I followed the video. Made sure it was in the user configuration section but still it won't work.

Any ideas?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.