Jump to content

Lock-down stand-alone Win2000: User acct only


TimRude

Recommended Posts

I've got a stand-alone (non-networked) Windows 2000 Pro machine with only two accounts - one Administrator (with a password) and one User (no password). Windows is set to auto-login to the User account at boot up.

I want to lock down the User account to disable stuff like the Control Panel, Display settings, Taskbar settings, etc. However, I want to leave these things enabled when logged in under the Administrator account.

Using the Group Policy editor, I can disable what I want but it affects both accounts. How can I selectively apply the Group Policy settings to only the User account?

TIA

Tim Rude

Link to comment
Share on other sites


Instead of using Group Policy Editor, you should lower your User account with no password to a lower privilege (i.e. another user group), so it won't have the permission (of administrator) to access some utilities like control panel to change the system settings.

Check Control Panel->Users and Passwords->Advanced->Users->"Your User Name"->Member of

In a more broad way to view the issue, either you change the user privilege or alter the permission to access a object, both will limit the user to a certain access of that object, which can be a file or folder.

You can control the access of reading, writing, ownership...etc, see the security tab of the file.

I've got a stand-alone (non-networked) Windows 2000 Pro machine with only two accounts - one Administrator (with a password) and one User (no password). Windows is set to auto-login to the User account at boot up.

I want to lock down the User account to disable stuff like the Control Panel, Display settings, Taskbar settings, etc. However, I want to leave these things enabled when logged in under the Administrator account.

Using the Group Policy editor, I can disable what I want but it affects both accounts. How can I selectively apply the Group Policy settings to only the User account?

TIA

Tim Rude

Link to comment
Share on other sites

Create a manditory user profile. Rename ntuser.dat to ntuser.man in the user's profile directory, and any changes made will be discarded on log off.

or

Add the user to the Guests group, and configure Group Policy to block "Guests" from accessing X, Y, & Z.

Link to comment
Share on other sites

Instead of using Group Policy Editor, you should lower your User account with no password to a lower privilege (i.e. another user group), so it won't have the permission (of administrator) to access some utilities like control panel to change the system settings.

Thanks. I've done that. The User account is a member of the 'Users' group, whereas the Administrator account is a member of the 'Administrators' group. However, that still doesn't block everything I want to block.

In a more broad way to view the issue, either you change the user privilege or alter the permission to access a object, both will limit the user to a certain access of that object, which can be a file or folder.

I can see where this would be useful to prevent (for example) User access to REGEDIT or certain other apps. But I want to actually remove certain things from the UI, such as the entire 'Settings' menu, blocking the right-click menu on the desktop, blocking the right-click menu on the taskbar, etc.

Tim Rude

Link to comment
Share on other sites

Create a manditory user profile. Rename ntuser.dat to ntuser.man in the user's profile directory, and any changes made will be discarded on log off.

I'm afraid I don't quite understand this suggestion. Can you elaborate a little?

or

Add the user to the Guests group, and configure Group Policy to block "Guests" from accessing X, Y, & Z.

How? I don't see anywhere in the Group Policy editor to specify whether the restrictions apply to "Guests" only. It seems to be all or nothing.

Tim Rude

Link to comment
Share on other sites

A lot of group policies (all or most administrative templates) are stored in the registry, and as such, can be applied to an individual user. There is an excel spreadsheet from microsoft somewhere that lists all the policy settings you can make through the registry, but I don't happen to have a link. You can surely find it if you google it. that's what I always do. as for ntuser.man. Find that user's folder. It's typically C:/Documents and Settings/Username. Find ntuser.dat. Make a copy of it (for backup purposes). Now rename it to ntuser.man. Tada!

Link to comment
Share on other sites

FYI for anyone who cares:

I've gotten info from Mark Renoden on the Windows Platform Support Team at Microsoft that what I'm trying to do isn't really supported. However he suggested using Group Policies and then disabling the read access for the Admin acct, to prevent the group policies from being read and applied at login.

I also found the same suggestion and procedure here: Group Policies: Applying to Specific Users

It takes some tinkering but it seems to work pretty well.

If anyone's got better ideas I wouldn't mind hearing them, but otherwise I think I can do it this way.

Tim Rude

Link to comment
Share on other sites

a) The method you linked to is not optimal.

b) The guy you talked to was wrong.

All the changes you seek to make are registry settings. This excel worksheet contains much more info. Here's what you do:

Log on as the administrator.

Open regedit. (On windows 2000 this might require regedt32, I'm not sure...)

Go to HKEY_USERS.

Click File > Load hive.

Open C:/Documents and Settings/thatuser/ntuser.dat

Give it a name.

Go to thatname/software/microsoft/windows/currentversion/policies.

Using the spreadsheet linked to above, figure out what you need to add. Most will go in the system or explorer key. Create these keys if necessary. For most of the options, create a DWORD value, and name it whatever the setting is. So, for example, if it says to put the setting in

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoControlPanel

then go to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and create a DWORD value named NoControlPanel. Set these values to 1 for policy enabled, or 0 for policy not enabled. A few of these go in a different key, usually HKU\<thatuser>\policies\microsoft\windows\.

When you're done you MUST unload the hive, or you WILL get problems. Go to file > unload hive and click OK. Log on as the user, and your settings should take effect.

Edited by Idontwantspam
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...