Applying local policies to a specific account on a workgro..

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am trying to lock down an account on a Windows XP station. It is not on
the domain, and i do not want to lock down any administrator accounts on the
machine. Since by default, any local policies that are put in place affect
each account, I have not had any luck in locking down just one account. I
have tried a number of things including, group policy, login scripts, and i
tried article 325351. I know it is for 2003 server, but since it is the same
as the one for Windows 2000, I thought it would work for XP. I had no luck.
If there is anything else i can try, or any suggestions i would most
appreciate it. Thanks in advance.
7 answers Last reply
More about applying local policies specific account workgro
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Don wrote:

    > I am trying to lock down an account on a Windows XP station. It is
    > not on the domain, and i do not want to lock down any administrator
    > accounts on the
    > machine. Since by default, any local policies that are put in place
    > affect
    > each account, I have not had any luck in locking down just one
    > account. I have tried a number of things including, group policy,
    > login scripts, and i
    > tried article 325351. I know it is for 2003 server, but since it is
    > the same
    > as the one for Windows 2000, I thought it would work for XP. I had no
    > luck. If there is anything else i can try, or any suggestions i would
    > most
    > appreciate it. Thanks in advance.

    I assume you have XP Pro since you have tried gpedit. Since you didn't
    define "lock down", I can't give you a specific answer. However, you
    could create a new user group with the very limited permissions you
    want and then put that user in the new group.

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    The only thing I want the user account to be able to do is use internet
    explorer. I dont want access to control panel, run, search, local hard
    drive. Nothing, just internet. All of that will be removed from the start
    menu, and no icons on the desktop. I looked into creating a group and
    putting the user in the group, but I dont have a lot of experience creating
    groups and I couldn't find any way of locking down just that group. And yes
    it is XP Pro, meant to mention that.

    Thanks

    "Malke" wrote:

    > Don wrote:
    >
    > > I am trying to lock down an account on a Windows XP station. It is
    > > not on the domain, and i do not want to lock down any administrator
    > > accounts on the
    > > machine. Since by default, any local policies that are put in place
    > > affect
    > > each account, I have not had any luck in locking down just one
    > > account. I have tried a number of things including, group policy,
    > > login scripts, and i
    > > tried article 325351. I know it is for 2003 server, but since it is
    > > the same
    > > as the one for Windows 2000, I thought it would work for XP. I had no
    > > luck. If there is anything else i can try, or any suggestions i would
    > > most
    > > appreciate it. Thanks in advance.
    >
    > I assume you have XP Pro since you have tried gpedit. Since you didn't
    > define "lock down", I can't give you a specific answer. However, you
    > could create a new user group with the very limited permissions you
    > want and then put that user in the new group.
    >
    > Malke
    > --
    > MS MVP - Windows Shell/User
    > Elephant Boy Computers
    > www.elephantboycomputers.com
    > "Don't Panic!"
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Don wrote:

    > The only thing I want the user account to be able to do is use
    > internet
    > explorer. I dont want access to control panel, run, search, local
    > hard
    > drive. Nothing, just internet. All of that will be removed from the
    > start
    > menu, and no icons on the desktop. I looked into creating a group and
    > putting the user in the group, but I dont have a lot of experience
    > creating
    > groups and I couldn't find any way of locking down just that group.
    > And yes it is XP Pro, meant to mention that.
    >
    Then you create a new group and call it whatever you want, set the
    policies for it with Group Policy Editor, and then put that one user in
    that group. You'll need to spend some time familiarizing yourself with
    the GPE. Look under the Administrative Templates for users, etc. You
    can also post more specific questions about the use of the GPE in a
    newsgroup specifically for it. Here's a link to a list of all the MS
    newsgroups so you can find the one for Group Policy:

    http://aumha.org/nntp.htm

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Ok well maybe i am just missing something, or i dont have something on this
    machine. I can create users, and i can create groups, but I have no idea how
    to actually set policies to the group. Only thing i have been able to do is
    create policies that affect the pc as a whole. I tried the link you sent and
    didnt have much luck. Each link i clicked on on the site brought up outlook
    express. Are they supposed to take me to anything or are they just a link to
    an email account? I do appreciate you trying to help. I assume that the GPE
    is the same thing as gpedet.msc.

    Thanks again.
    "Malke" wrote:

    > Don wrote:
    >
    > > The only thing I want the user account to be able to do is use
    > > internet
    > > explorer. I dont want access to control panel, run, search, local
    > > hard
    > > drive. Nothing, just internet. All of that will be removed from the
    > > start
    > > menu, and no icons on the desktop. I looked into creating a group and
    > > putting the user in the group, but I dont have a lot of experience
    > > creating
    > > groups and I couldn't find any way of locking down just that group.
    > > And yes it is XP Pro, meant to mention that.
    > >
    > Then you create a new group and call it whatever you want, set the
    > policies for it with Group Policy Editor, and then put that one user in
    > that group. You'll need to spend some time familiarizing yourself with
    > the GPE. Look under the Administrative Templates for users, etc. You
    > can also post more specific questions about the use of the GPE in a
    > newsgroup specifically for it. Here's a link to a list of all the MS
    > newsgroups so you can find the one for Group Policy:
    >
    > http://aumha.org/nntp.htm
    >
    > Malke
    > --
    > MS MVP - Windows Shell/User
    > Elephant Boy Computers
    > www.elephantboycomputers.com
    > "Don't Panic!"
    >
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Don wrote:

    > Ok well maybe i am just missing something, or i dont have something on
    > this
    > machine. I can create users, and i can create groups, but I have no
    > idea how
    > to actually set policies to the group. Only thing i have been able to
    > do is
    > create policies that affect the pc as a whole. I tried the link you
    > sent and
    > didnt have much luck. Each link i clicked on on the site brought up
    > outlook
    > express. Are they supposed to take me to anything or are they just a
    > link to
    > an email account? I do appreciate you trying to help. I assume that
    > the GPE is the same thing as gpedet.msc.
    >
    The link is to a list of newsgroups. The reason OE is opening is because
    it also functions as a newsreader. Here is information on that:

    Since you are using the web interface, you may not realize that this is
    really a newsgroup. You will get far more out of this resource if you
    learn to use a newsreader. There are many good newsreaders for Windows,
    but you can use Outlook Express since you already have it. Here are
    some links to information about newsgroups:

    http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief
    explanation of newsgroups
    http://michaelstevenstech.com/outlookexpressnewreader.htm
    http://rickrogers.org/setupoe.htm
    http://support.microsoft.com/default.aspx?scid=/support/news/howto/default.asp
    - Set Up Newsreader
    http://www.dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html
    http://aumha.org/nntp.htm - list of MS newsgroups
    microsoft.public.test.here - MS group to test if your newsreader is
    working properly

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    You are not missing anything.
    Outside of a domain local group policy applies to all accounts.
    You should be able to use the info in the KB which you referenced.
    Otherwise you need third-party tools or use of direct registry edits.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Don" <Don@discussions.microsoft.com> wrote in message
    news:68FE8CB7-645A-4736-8A49-1021EF2264F2@microsoft.com...
    > Ok well maybe i am just missing something, or i dont have something on
    this
    > machine. I can create users, and i can create groups, but I have no idea
    how
    > to actually set policies to the group. Only thing i have been able to do
    is
    > create policies that affect the pc as a whole. I tried the link you sent
    and
    > didnt have much luck. Each link i clicked on on the site brought up
    outlook
    > express. Are they supposed to take me to anything or are they just a link
    to
    > an email account? I do appreciate you trying to help. I assume that the
    GPE
    > is the same thing as gpedet.msc.
    >
    > Thanks again.
    > "Malke" wrote:
    >
    > > Don wrote:
    > >
    > > > The only thing I want the user account to be able to do is use
    > > > internet
    > > > explorer. I dont want access to control panel, run, search, local
    > > > hard
    > > > drive. Nothing, just internet. All of that will be removed from the
    > > > start
    > > > menu, and no icons on the desktop. I looked into creating a group and
    > > > putting the user in the group, but I dont have a lot of experience
    > > > creating
    > > > groups and I couldn't find any way of locking down just that group.
    > > > And yes it is XP Pro, meant to mention that.
    > > >
    > > Then you create a new group and call it whatever you want, set the
    > > policies for it with Group Policy Editor, and then put that one user in
    > > that group. You'll need to spend some time familiarizing yourself with
    > > the GPE. Look under the Administrative Templates for users, etc. You
    > > can also post more specific questions about the use of the GPE in a
    > > newsgroup specifically for it. Here's a link to a list of all the MS
    > > newsgroups so you can find the one for Group Policy:
    > >
    > > http://aumha.org/nntp.htm
    > >
    > > Malke
    > > --
    > > MS MVP - Windows Shell/User
    > > Elephant Boy Computers
    > > www.elephantboycomputers.com
    > > "Don't Panic!"
    > >
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thank you both for your help. Since this is a work pc, I do not have the
    privilage of going to all of these different places. Was hoping to get any
    assistance through a trusted website. I do appreciate your assistance Malke.
    Roger, these 3rd party tools, are any of them available free for download.
    I highly doubt i can get anything approved that would have to be paid for.
    But in any case, even if they are, could you send me some links.

    Thanks,

    Don

    "Roger Abell" wrote:

    > You are not missing anything.
    > Outside of a domain local group policy applies to all accounts.
    > You should be able to use the info in the KB which you referenced.
    > Otherwise you need third-party tools or use of direct registry edits.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "Don" <Don@discussions.microsoft.com> wrote in message
    > news:68FE8CB7-645A-4736-8A49-1021EF2264F2@microsoft.com...
    > > Ok well maybe i am just missing something, or i dont have something on
    > this
    > > machine. I can create users, and i can create groups, but I have no idea
    > how
    > > to actually set policies to the group. Only thing i have been able to do
    > is
    > > create policies that affect the pc as a whole. I tried the link you sent
    > and
    > > didnt have much luck. Each link i clicked on on the site brought up
    > outlook
    > > express. Are they supposed to take me to anything or are they just a link
    > to
    > > an email account? I do appreciate you trying to help. I assume that the
    > GPE
    > > is the same thing as gpedet.msc.
    > >
    > > Thanks again.
    > > "Malke" wrote:
    > >
    > > > Don wrote:
    > > >
    > > > > The only thing I want the user account to be able to do is use
    > > > > internet
    > > > > explorer. I dont want access to control panel, run, search, local
    > > > > hard
    > > > > drive. Nothing, just internet. All of that will be removed from the
    > > > > start
    > > > > menu, and no icons on the desktop. I looked into creating a group and
    > > > > putting the user in the group, but I dont have a lot of experience
    > > > > creating
    > > > > groups and I couldn't find any way of locking down just that group.
    > > > > And yes it is XP Pro, meant to mention that.
    > > > >
    > > > Then you create a new group and call it whatever you want, set the
    > > > policies for it with Group Policy Editor, and then put that one user in
    > > > that group. You'll need to spend some time familiarizing yourself with
    > > > the GPE. Look under the Administrative Templates for users, etc. You
    > > > can also post more specific questions about the use of the GPE in a
    > > > newsgroup specifically for it. Here's a link to a list of all the MS
    > > > newsgroups so you can find the one for Group Policy:
    > > >
    > > > http://aumha.org/nntp.htm
    > > >
    > > > Malke
    > > > --
    > > > MS MVP - Windows Shell/User
    > > > Elephant Boy Computers
    > > > www.elephantboycomputers.com
    > > > "Don't Panic!"
    > > >
    >
    >
    >
Ask a new question

Read More

Windows XP