Giving A domain user permission to install program

[ToneKnee]

Hello, everyone.

Recent events have forced me to restrict my brothers logon hours, and for this i have give him an account (which i have done already) to be able to install his games, programs, but not administrator access not to logon or change his account settings to get around his logon hours.

I am using Windows 2003 Enterprise Edition, his PC is Windows XP Professional SP1.

I have disabled all his local accounts on the machine and setup Windows 2003 to give him account so he can logon. the only problem is the fact he can't install anything without the Administrator's logon. And this will will be abit of a problem if and when he trys to get past his logon hours.

Basicly if he gets past his logon hours, my mum will be forced to disconnect the internet (which she has done, but didn't realise i could of fixed the problem without resorting to removing the internet)

The problem with my brother is the fact he stays up all night playing games until 9am in the morning and he is 14 years old. he does this on school nights and we have caught him on 9 occasions to stay up all night and go straight to school. This is effecting his school work and he is being increasingly abusive. Even when the internet is off, he still goes on the PC, and if we unplug him he plugs himself back in, so this is the only way to get round the problem with me loosing my internet access.

Thankyou for any support you can give.

[Frank]

If you are restricting his login hours via Active Directory you can just add the Domain User to the Local Administrator group on his specific machine.

This way he will be able to install and make changes on his machine but when his logon time on the domain is done he will still loose connectivity.

[Garry]

this is the only way to get round the problem with me loosing my internet access.

but when his logon time on the domain is done he will still loose connectivity.

It's losing, and lose.

[ToneKnee]

If you are restricting his login hours via Active Directory you can just add the Domain User to the Local Administrator group on his specific machine.

This way he will be able to install and make changes on his machine but when his logon time on the domain is done he will still loose connectivity.

586653042[/snapback]

Yes but the problem is that he can reset the main administrator password back again and change the settings to get around the logon thus changing his policy settings to make him log in locally to his machine. I just did it now. So i removed the access and set him to "Power User" not sure yet how thats going to turn out, i'll do some tests tomorrow. 4 minutes until he gets kicked off! ;)

Garry, for the typo's ;)

[Pliskin]

Power Users is the only thing you can use here. Or, you can just beat and slap him if he exceeds his hours.

I must say, your brother is hardcore.

[dieterich]

You have two computers online so I'm assuming you have a router. Why not cut off Internet access from there? We do that with our cousin's router. We have it setup so that all Internet activity cuts off at 9PM and resumes the next day at 7AM. One IP has unlimited Internet access - the parent's PC - so it can be online without interuption. Just a thought.

[biorK]

^^ First, that's not a function that all routers has? Second, I don't think he want to kill all Internet access because DarkWater might want to be online longer then his brother... or I got your suggestion wrong?

Also.. if I understood right his brother sits by the computer even if there's not Internet access. He wants to cut him off completely from his computer.

[dieterich]

You are right, it's not a function of EVERY router. But he can check to see if his has it. Second, the ones I have been using(Netgear, D-Link, and Linksys) all have the ability to block Internet access for specific PCs and allow it for others. So, one person can be limited and the others can be online.

What the h3ll happened to parenting? Unplug the friggin thing and take the power cable. Take the keyboard and mouse. Geez, it's not that hard to disable a computer. How about this, ground him from the PC for a week and see if he starts to abide by the "PC curfew" after that. This is such overkill for this type problem.

[biorK]

Take it easy man, I thought your suggestions were good! Though I'm planning to do this myself on my brothers (and mothers) computers because it's a good way to control their habbits.

It's not my job to parenting my brothers :) I just want some control :p

[ToneKnee]

dieterich, i ain't going to comment about parenting since he has had a hard life and he has been off school alot of due to problems which i ain't going to explain about. Nothing wrong with parenting since i'm a prime example of it and i'm fine. I was like him at one stage were the internet/computer took control. My parents believe that things should be phased out slowly rather than take drastic measures.

My router does have settings to cut off his internet, but like i have mentioned, we want him off the computer at a certain time at night. I'm still open to how to solve my dilema.

[dieterich]

I'm just not sure that taking away a priviledge could be considered drastic. I had my car taken away when I didn't do what I was supposed to growing up. The PC should be no different. All I was trying to say is that this is a simple fix that really doesn't need the overkill of a domain and server. Just a very simple problem to fix IMHO. :blush:

[ToneKnee]

dieterich, can i please say (and don't take this offensively) that i came on here looking for help, not for people to question my parents or other options. Not only does this solve a problem since he cannot do anything about it, i am also learning more about computers while i'm doing this. Now please, i don't want any more questions/accusations about my parents or how we are dealing with a problem.

Also, i have got into abit of a problem, apparantly, after his logon hours have expired, the server isn't forcing him to log off. I set this option on his account, the server domain policy and the local policy on the computer. And he still isn't being logged off, am i missing something here? If people would give me a guide or some direct response would be greatly appreciated.

[Gotenks98]

Sorry but the simplest and most effiect way to do this is "THE BELT". After getting beat senseless a few times for staying on the internet past time he will get the point to go to sleep when he should.

[Gibwar]

after his logon hours have expired, the server isn't forcing him to log off. I set this option on his account, the server domain policy and the local policy on the computer. And he still isn't being logged off, am i missing something here? If people would give me a guide or some direct response would be greatly appreciated.

586661677[/snapback]

Are you sure that the user account he has is applying the policy correctly. First of, right click on his username and go to all tasks and then resultant set of policy (logging) and answer the questions. When it is done, it will pop up the GPO with what settings were applied and which were applied and where and which were not. Also, when you update the Group Policy, be sure to go to his computer and run "gpupdate /force" which will force a refresh of the policy. Also, it is recommended to not use the Default Domain policy but instead create a new one next to it. I hope you get this problem solved.

Sorry but the simplest and most effiect way to do this is "THE BELT". After getting beat senseless a few times for staying on the internet past time he will get the point to go to sleep when he should.

586661708[/snapback]

That was quite unnecessary and rude, he needs help for his problem and your post didn't help him at all. Also, if you took time to read this thread, you would have already known that.

[ToneKnee]

Are you sure that the user account he has is applying the policy correctly.  First of, right click on his username and go to all tasks and then resultant set of policy (logging) and answer the questions. When it is done, it will pop up the GPO with what settings were applied and which were applied and where and which were not.  Also, when you update the Group Policy, be sure to go to his computer and run "gpupdate /force" which will force a refresh of the policy.  Also, it is recommended to not use the Default Domain policy but instead create a new one next to it.  I hope you get this problem solved.

That was quite unnecessary and rude, he needs help for his problem and your post didn't help him at all. Also, if you took time to read this thread, you would have already known that.

586661824[/snapback]

Right, i tried that, but when i tried to do the RSoP (Logging) it said that the specified user s doesn't exist? Obviously i'm going somewhere wrong.

[Gibwar]

Right, i tried that, but when i tried to do the RSoP (Logging) it said that the specified user s doesn't exist? Obviously i'm going somewhere wrong.

586662279[/snapback]

Have you tried RSoP (Planning)? I can't remember which one does which.

[dieterich]

dieterich, can i please say (and don't take this offensively) that i came on here looking for help, not for people to question my parents or other options. Not only does this solve a problem since he cannot do anything about it, i am also learning more about computers while i'm doing this. Now please, i don't want any more questions/accusations about my parents or how we are dealing with a problem.

Also, i have got into abit of a problem, apparantly, after his logon hours have expired, the server isn't forcing him to log off. I set this option on his account, the server domain policy and the local policy on the computer. And he still isn't being logged off, am i missing something here? If people would give me a guide or some direct response would be greatly appreciated.

586661677[/snapback]

I don't believe that I meantioned the word "parents" in any of my posts except for referring to my own. I am also trying to help as well. I just think this is an overly complicated solution for what you want to do. Do not take what I am saying as a strike against parenting skills. To each his own. I just think it's easier to pull the plug on a PC than to spend hours setting up a domain, getting the GPOs configured, and still have not solved the problem since it seems he's still online. Sorry to have offended. :blush:

[p858snake]

Where is the the computer?? in his bedroom / family room / study ect...

or

you could just handcuff him to the bed

-peachey

[StevenNT]

You can give him local admin rights but block use of MMC snapins and the command promt (and command scripts).

That will make life hard for him to reset the local user account settings. :D

You can do this in Active Directory's Group Policy settings.

[garethevans1986]

Cant you get like a timer which you plug into the socket and the PC plug into that so that will limit his time on the PC too.

ChocIST

[struct]

You can give him local admin rights but block use of MMC snapins and the command promt (and command scripts).

That will make life hard for him to reset the local user account settings.?:DD

You can do this in Active Directory's Group Policy settings.

586678672[/snapback]

in addition to the above, lock the case (or get a case you can lock with a key), lock down the BIOS to only boot from the hdd, and set a tough password. also turn off BIOS flashing.

I agree with the sentiments that this is really over-complicated. I think a little physical violence is in order... As the older brother it is your duty to pick on him and get him in line if your parents won't. I don't have any brothers, but I'd kick him off every time he tried to pull that (literally if needed).

Edited October 18, 2005 by struct