Sign in with
Sign up | Sign in
Your question

Editing user groups

Last response: in Windows XP
Share
July 1, 2010 8:14:56 PM

How do you edit user groups? I feel like I've been chasing my tail on this. I want to disable the ability to install (any) programs for all users except the one admin account. This is what I have so far:

I'm running winXP Pro SP2

Going through control_panel>user_accounts> and switching the account to a limited doesn't work (some progs can still be installed).

Going into Computer_Management (screenshot) gives me the ability to look at the groups and move user names from one group to another, but I can't edit/modify what each group is allowed to do. Right clicking on group and selecting properties gives me this. (screenshot)

Going into Group_Policy (screenshot) allows me to edit what users can do, but it applies the changes to every user (including the admin).

Any help you can give I would highly appreciate, I need this done by Saturday. That's when the family gets home.

More about : editing user groups

a b 8 Security
July 1, 2010 9:10:28 PM

http://support.microsoft.com/kb/307882

From what I have seen, it's either hard or impossible to set settings per user unless you are on a Domain, but the above link should guide you a bit.

A trick that MAY work, is find msiexec.exe and set rights on it to only Administrator and System. That should prevent some programs from installing unless the users are members of either group. Have not tried it, but since that is the MS installer tool it should do something restrictive :-) I am not sure if this only works on programs that use an .msi file to install, .exe setup files may get by this.
m
0
l
a b 8 Security
July 1, 2010 10:08:27 PM

gl1x said:
How do you edit user groups? I feel like I've been chasing my tail on this. I want to disable the ability to install (any) programs for all users except the one admin account. This is what I have so far:

I'm running winXP Pro SP2

Going through control_panel>user_accounts> and switching the account to a limited doesn't work (some progs can still be installed).

Going into Computer_Management (screenshot) gives me the ability to look at the groups and move user names from one group to another, but I can't edit/modify what each group is allowed to do. Right clicking on group and selecting properties gives me this. (screenshot)

Going into Group_Policy (screenshot) allows me to edit what users can do, but it applies the changes to every user (including the admin).

Any help you can give I would highly appreciate, I need this done by Saturday. That's when the family gets home.




To specify custom rights for the group, double-click Administrative Tools,
double-click Local Security Policy.
Double-click Security Settings,
double-click Local Policies,
double-click User Rights Assignment,
Double-click the user right you want to change,
Click Add user or group.
Go to the Object types box and check that groups is ticked, click OK. Click the accounts or group to which you want to assign the right.
Click OK, and then click OK again to get back out to the desktop.
m
0
l
Related resources
July 2, 2010 1:08:07 AM

@tig - That was kinda what I was looking for in the sense that I can add users and modify certain settings. But there is no option to disable installations. Any other ideas?
m
0
l
a b 8 Security
July 2, 2010 2:15:48 AM

gl1x said:
@tig - That was kinda what I was looking for in the sense that I can add users and modify certain settings. But there is no option to disable installations. Any other ideas?



More ideas.... Ummm....

Try (Tried?) this:

Gpedit (you know how to get there)

Computer Configuration>Administrative Templates>Windows Components>Windows installer>Prohibit User Installs>(Setting Tab)
Click Enabled and then the drop-down box is activated, choose "Prohibit User Installs"

See if this is more what you wanted.
I have more if this doesn't cut it.

I had to come back and edit this a bit. This will also lock You out, but at least you know how to switch it when needed.
m
0
l
a b 8 Security
July 2, 2010 4:57:55 AM

gl1x said:
@tig - That was kinda what I was looking for in the sense that I can add users and modify certain settings. But there is no option to disable installations. Any other ideas?



OK, here is my own personal ultimate solution to limiting what users can do on the computer.

Make all the users you want, or choose a user you want to limit (all of them but yourself?)

Since you can't turn off the ability to install programs on your users, we need to find a way that we would need to turn it on, if we could, but what will become obvious is, we can't, so our problem is solved.

You say...    What the..???      (Hang in there,    humor me,    I have your solution,     I think.)



Control Panel, Administrative Tools, Local Security Policy, User Rights Assignment,

Right-Click and select Properties for each and every thing you want to allow your users to do and make these permissions part of the Guest account:
Add User or Group, Advanced, Find Now, Guest, OK, Ok, Apply, Ok

On to the next permission, do the same way... until you have made a "Super-Guest" that can do anything you allowed, Except install programs, drivers, printers, or delete programs etc..

Now that your Guest can do any reasonable thing at the computer, it's time to convert a bunch of Users into Guest.


Right-Click My Computer, Manage, Computer Management (Local), Local Users and Groups, Users

Right-click (one at a time please) on all Users to be limited, Properties, Member of (Tab),
Users*, Remove, add, advanced, find now, Guest, ok, Ok, Apply. Ok

* or whatever group they were part of.

Do this for all "Users"

You now have a bunch of users that can sit there and use the computer but can't "Monkey" with it.





m
0
l
July 2, 2010 5:39:59 AM

I ended up going with another goofy idea that I stumbled on earlier. I disabled the use of all programs and made an exceptions list. Added the applications that will be used and all the exe's in the root folder (that took some time). Now, nothing will run unless the name's on the list, that includes for admin too. But since I'm admin, no worries. Though I did add an exception to the list so that if I need to install something down the road I can do so by simply renaming the install file to "sudo.exe" (I tested it out, it works). I know, it's a cheesy linux joke. But hey, thanks for your help anyway man. I really appreciate it. ;) 
m
0
l
a b 8 Security
July 2, 2010 7:20:10 AM

However it works.. it works :) 

if it has limitations, you can always try this last thing from me, and just think, I still had one more way to do this, but it is very much like yours you just spoke about.
m
0
l
!