Limiting Limited Access Accounts.

Limiting Limited Access Accounts.

Post by Tom Stac » Wed, 08 Oct 2003 08:56:53

I have XP PRO SP1 preinstalled on my new dell 8300. It is
in a school and I would like to make sudents a limited
account that is limited to only open 2 or 3 programs. Kind
of like in windows 2000. I have used the local security
utility in the adminm folder of the control panel and all
I can do is lock out access to the time date stamp
adjustment which does very little for my couse. I can not
find out anything on locking out .exe files or
background/screen saver or anything else. how in a limited
account do I lock out outher things. I have been told that
you can lock stuff out like in WIn 2000 how does one go
about doing this????


Limiting Limited Access Accounts.

Post by Steven L U » Wed, 08 Oct 2003 13:56:45

Hi Tom. You can use gpedit.msc to bring up the Local Group Policy to
configure user restrictions, but keep in mind it applies to all users by
default on a stand alone machine. See link to a hack that should work to
exempt administrator, I you lock yourself out you still should be able to
modify Group Policy from another computer on the network by running mmc on
it and then select Group Policy/another computer. You are going to need to
change ntfs permisions on the drive/root folder so that they can not save
files there. Go to properties/security/advanced and remove the permissions
for users to write folders and write files - there will probably be three
entries for users. You want to leave just the one for read/list/execute.

Create a local group and name it students. Create the student accounts and
add them to the student group. You will need to give that group deny
permissions on any program folder or stand alone executable you do not want
them to run. You may also want to do that to any instance of cmd.exe and you find in a search on the computer. I would go through the
\windows\system32 folder and add their group to many of the executables
there. Keep in mind that with ntfs permisions an explicit allow overrides an
inherited deny.

After configuration changes, the only place that students will be able to
save files is in their local profile under documents and settings. Now you
can use Software Restriction Policies to create a path rule to c:\documents
and settings [assuming c is correct] as a disallowed rule, be sure to double
check that administrators are exempt in the enforcement settings.
That way the students will not be allowed to run or install any
software there and you will have a very locked down computer for them. If
you do not want to let them change their desktop, give them only
read/list/execute permissions for their desktop folder in their profile and
take ownership of it. Good luck. --- Steve