Sign in with
Sign up | Sign in
Your question

Applying local policies to a specific account on a workgro..

Last response: in Windows XP
Share
February 4, 2005 2:41:03 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am trying to lock down an account on a Windows XP station. It is not on
the domain, and i do not want to lock down any administrator accounts on the
machine. Since by default, any local policies that are put in place affect
each account, I have not had any luck in locking down just one account. I
have tried a number of things including, group policy, login scripts, and i
tried article 325351. I know it is for 2003 server, but since it is the same
as the one for Windows 2000, I thought it would work for XP. I had no luck.
If there is anything else i can try, or any suggestions i would most
appreciate it. Thanks in advance.
February 4, 2005 3:24:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Don wrote:

> I am trying to lock down an account on a Windows XP station. It is
> not on the domain, and i do not want to lock down any administrator
> accounts on the
> machine. Since by default, any local policies that are put in place
> affect
> each account, I have not had any luck in locking down just one
> account. I have tried a number of things including, group policy,
> login scripts, and i
> tried article 325351. I know it is for 2003 server, but since it is
> the same
> as the one for Windows 2000, I thought it would work for XP. I had no
> luck. If there is anything else i can try, or any suggestions i would
> most
> appreciate it. Thanks in advance.

I assume you have XP Pro since you have tried gpedit. Since you didn't
define "lock down", I can't give you a specific answer. However, you
could create a new user group with the very limited permissions you
want and then put that user in the new group.

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
February 4, 2005 3:35:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The only thing I want the user account to be able to do is use internet
explorer. I dont want access to control panel, run, search, local hard
drive. Nothing, just internet. All of that will be removed from the start
menu, and no icons on the desktop. I looked into creating a group and
putting the user in the group, but I dont have a lot of experience creating
groups and I couldn't find any way of locking down just that group. And yes
it is XP Pro, meant to mention that.

Thanks

"Malke" wrote:

> Don wrote:
>
> > I am trying to lock down an account on a Windows XP station. It is
> > not on the domain, and i do not want to lock down any administrator
> > accounts on the
> > machine. Since by default, any local policies that are put in place
> > affect
> > each account, I have not had any luck in locking down just one
> > account. I have tried a number of things including, group policy,
> > login scripts, and i
> > tried article 325351. I know it is for 2003 server, but since it is
> > the same
> > as the one for Windows 2000, I thought it would work for XP. I had no
> > luck. If there is anything else i can try, or any suggestions i would
> > most
> > appreciate it. Thanks in advance.
>
> I assume you have XP Pro since you have tried gpedit. Since you didn't
> define "lock down", I can't give you a specific answer. However, you
> could create a new user group with the very limited permissions you
> want and then put that user in the new group.
>
> Malke
> --
> MS MVP - Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
>
Related resources
February 4, 2005 4:09:24 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Don wrote:

> The only thing I want the user account to be able to do is use
> internet
> explorer. I dont want access to control panel, run, search, local
> hard
> drive. Nothing, just internet. All of that will be removed from the
> start
> menu, and no icons on the desktop. I looked into creating a group and
> putting the user in the group, but I dont have a lot of experience
> creating
> groups and I couldn't find any way of locking down just that group.
> And yes it is XP Pro, meant to mention that.
>
Then you create a new group and call it whatever you want, set the
policies for it with Group Policy Editor, and then put that one user in
that group. You'll need to spend some time familiarizing yourself with
the GPE. Look under the Administrative Templates for users, etc. You
can also post more specific questions about the use of the GPE in a
newsgroup specifically for it. Here's a link to a list of all the MS
newsgroups so you can find the one for Group Policy:

http://aumha.org/nntp.htm

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
February 4, 2005 5:09:04 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Ok well maybe i am just missing something, or i dont have something on this
machine. I can create users, and i can create groups, but I have no idea how
to actually set policies to the group. Only thing i have been able to do is
create policies that affect the pc as a whole. I tried the link you sent and
didnt have much luck. Each link i clicked on on the site brought up outlook
express. Are they supposed to take me to anything or are they just a link to
an email account? I do appreciate you trying to help. I assume that the GPE
is the same thing as gpedet.msc.

Thanks again.
"Malke" wrote:

> Don wrote:
>
> > The only thing I want the user account to be able to do is use
> > internet
> > explorer. I dont want access to control panel, run, search, local
> > hard
> > drive. Nothing, just internet. All of that will be removed from the
> > start
> > menu, and no icons on the desktop. I looked into creating a group and
> > putting the user in the group, but I dont have a lot of experience
> > creating
> > groups and I couldn't find any way of locking down just that group.
> > And yes it is XP Pro, meant to mention that.
> >
> Then you create a new group and call it whatever you want, set the
> policies for it with Group Policy Editor, and then put that one user in
> that group. You'll need to spend some time familiarizing yourself with
> the GPE. Look under the Administrative Templates for users, etc. You
> can also post more specific questions about the use of the GPE in a
> newsgroup specifically for it. Here's a link to a list of all the MS
> newsgroups so you can find the one for Group Policy:
>
> http://aumha.org/nntp.htm
>
> Malke
> --
> MS MVP - Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
>
February 4, 2005 9:08:32 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Don wrote:

> Ok well maybe i am just missing something, or i dont have something on
> this
> machine. I can create users, and i can create groups, but I have no
> idea how
> to actually set policies to the group. Only thing i have been able to
> do is
> create policies that affect the pc as a whole. I tried the link you
> sent and
> didnt have much luck. Each link i clicked on on the site brought up
> outlook
> express. Are they supposed to take me to anything or are they just a
> link to
> an email account? I do appreciate you trying to help. I assume that
> the GPE is the same thing as gpedet.msc.
>
The link is to a list of newsgroups. The reason OE is opening is because
it also functions as a newsreader. Here is information on that:

Since you are using the web interface, you may not realize that this is
really a newsgroup. You will get far more out of this resource if you
learn to use a newsreader. There are many good newsreaders for Windows,
but you can use Outlook Express since you already have it. Here are
some links to information about newsgroups:

http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
explanation of newsgroups
http://michaelstevenstech.com/outlookexpressnewreader.h...
http://rickrogers.org/setupoe.htm
http://support.microsoft.com/default.aspx?scid=/support...
- Set Up Newsreader
http://www.dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html
http://aumha.org/nntp.htm - list of MS newsgroups
microsoft.public.test.here - MS group to test if your newsreader is
working properly

Malke
--
MS MVP - Windows Shell/User
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
Anonymous
February 6, 2005 6:14:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

You are not missing anything.
Outside of a domain local group policy applies to all accounts.
You should be able to use the info in the KB which you referenced.
Otherwise you need third-party tools or use of direct registry edits.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Don" <Don@discussions.microsoft.com> wrote in message
news:68FE8CB7-645A-4736-8A49-1021EF2264F2@microsoft.com...
> Ok well maybe i am just missing something, or i dont have something on
this
> machine. I can create users, and i can create groups, but I have no idea
how
> to actually set policies to the group. Only thing i have been able to do
is
> create policies that affect the pc as a whole. I tried the link you sent
and
> didnt have much luck. Each link i clicked on on the site brought up
outlook
> express. Are they supposed to take me to anything or are they just a link
to
> an email account? I do appreciate you trying to help. I assume that the
GPE
> is the same thing as gpedet.msc.
>
> Thanks again.
> "Malke" wrote:
>
> > Don wrote:
> >
> > > The only thing I want the user account to be able to do is use
> > > internet
> > > explorer. I dont want access to control panel, run, search, local
> > > hard
> > > drive. Nothing, just internet. All of that will be removed from the
> > > start
> > > menu, and no icons on the desktop. I looked into creating a group and
> > > putting the user in the group, but I dont have a lot of experience
> > > creating
> > > groups and I couldn't find any way of locking down just that group.
> > > And yes it is XP Pro, meant to mention that.
> > >
> > Then you create a new group and call it whatever you want, set the
> > policies for it with Group Policy Editor, and then put that one user in
> > that group. You'll need to spend some time familiarizing yourself with
> > the GPE. Look under the Administrative Templates for users, etc. You
> > can also post more specific questions about the use of the GPE in a
> > newsgroup specifically for it. Here's a link to a list of all the MS
> > newsgroups so you can find the one for Group Policy:
> >
> > http://aumha.org/nntp.htm
> >
> > Malke
> > --
> > MS MVP - Windows Shell/User
> > Elephant Boy Computers
> > www.elephantboycomputers.com
> > "Don't Panic!"
> >
February 7, 2005 9:31:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thank you both for your help. Since this is a work pc, I do not have the
privilage of going to all of these different places. Was hoping to get any
assistance through a trusted website. I do appreciate your assistance Malke.
Roger, these 3rd party tools, are any of them available free for download.
I highly doubt i can get anything approved that would have to be paid for.
But in any case, even if they are, could you send me some links.

Thanks,

Don

"Roger Abell" wrote:

> You are not missing anything.
> Outside of a domain local group policy applies to all accounts.
> You should be able to use the info in the KB which you referenced.
> Otherwise you need third-party tools or use of direct registry edits.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Don" <Don@discussions.microsoft.com> wrote in message
> news:68FE8CB7-645A-4736-8A49-1021EF2264F2@microsoft.com...
> > Ok well maybe i am just missing something, or i dont have something on
> this
> > machine. I can create users, and i can create groups, but I have no idea
> how
> > to actually set policies to the group. Only thing i have been able to do
> is
> > create policies that affect the pc as a whole. I tried the link you sent
> and
> > didnt have much luck. Each link i clicked on on the site brought up
> outlook
> > express. Are they supposed to take me to anything or are they just a link
> to
> > an email account? I do appreciate you trying to help. I assume that the
> GPE
> > is the same thing as gpedet.msc.
> >
> > Thanks again.
> > "Malke" wrote:
> >
> > > Don wrote:
> > >
> > > > The only thing I want the user account to be able to do is use
> > > > internet
> > > > explorer. I dont want access to control panel, run, search, local
> > > > hard
> > > > drive. Nothing, just internet. All of that will be removed from the
> > > > start
> > > > menu, and no icons on the desktop. I looked into creating a group and
> > > > putting the user in the group, but I dont have a lot of experience
> > > > creating
> > > > groups and I couldn't find any way of locking down just that group.
> > > > And yes it is XP Pro, meant to mention that.
> > > >
> > > Then you create a new group and call it whatever you want, set the
> > > policies for it with Group Policy Editor, and then put that one user in
> > > that group. You'll need to spend some time familiarizing yourself with
> > > the GPE. Look under the Administrative Templates for users, etc. You
> > > can also post more specific questions about the use of the GPE in a
> > > newsgroup specifically for it. Here's a link to a list of all the MS
> > > newsgroups so you can find the one for Group Policy:
> > >
> > > http://aumha.org/nntp.htm
> > >
> > > Malke
> > > --
> > > MS MVP - Windows Shell/User
> > > Elephant Boy Computers
> > > www.elephantboycomputers.com
> > > "Don't Panic!"
> > >
>
>
>
!