I have a computer that I am trying to create a user profile on and I can't figure out how to do what I want. I would like to create limited access beyond the "users" group by disabling windows update and the control panel as well as a few other things. The only way I have found to do that is through the management console by adding a snap-in group policy but that disables things for the Administrator as well and I have to re-enable them in order to use them. This is very annoying. How do I create a user profile that does not interfere with the built in administrator account? Is this possible or do I need to create a group policy on another computer on the network and do all my administering from there? I know that I can specify a profile path for each user on the machine. Is this what I want to do? how do I create a profile. I want to have a limited user account but be able to log in as an administrator on the local machine and have full access.
Links to sites are acceptable. I am not opposed to doing my own work I just haven't found a site that explains what I want to do yet?
You may not be able to do the full customization of the account if you are running in a Workgroup environment rather than a Domain setup. The Group Policy settings available in a Domain environment would have the granularity that you require.
Creating the additional user group is simply done through Computer Management | Local Users & Groups | Groups |. This is assuming you are running on Windows XP Pro. You create a new user account and add it to the new group that you created.
With regards to additional restrictions, you can have a look through the system's "Local Security Settings" under Administrative Tools. There are a few options available to you.
I can't exactly tell you how to do it in a Workgroup mode because I don't have access to a Workgroup at the moment, but this link explains how it is possible to change the application of the Local Group Policy objects so that it does not affect the Administrators group on the system (http://www.theeldergeek.com/gp07.htm).
You can try applying that change, and then making the necessary changes in Local Group Policy and see if that helps. Also, make sure your Group Policy object only applies that new user group you created earlier in Computer Management.
Off hand that does sound like group policy which is only available once the computer is a member of the domain, but what you want to change would be user account policy anyway... still requires the user to log into a domain though. I don't have the capacity to look at the moment but i don't think you can affect just one user, it's either computer policy or user policy, and user policy affects everyone who logs into that computer only.
the more research I do, I think you guy are right. I think I need to change the networking setup and use a domain instead of workgroups. Do you know of any good sites that explain domains and how to properly set them up? It is my understanding that with domains, all accounts are authenticated through the server. However, using the management console to edit group policy, this will still affect the entire machine. I want to be able to log in on the local machines with full access.
If you guys can recommend any sites or books on the subject, I would be appreciative. I may be totally off on the above statements as my knowledge of running a server and domain is almost zero. thanks for your help.
A domain environment is nearly infinately configuarable, for indivual users and computers. it's more of a PITA than it's worth though for home use. you'll spend more time messing with the "domain" than you will enjoying your free time.