XP USER Account Restrictions

Hello,

I've set-up a new account that's under the "Limited account" type so guest users can log in without my worrries that they'll mess up my configurations and settings. Problem is, after creating the new account, I tried loggin it to it, and found out I could still access the registry and install some programs. I mean I don't know how my brothers and sisters do it but they manage to fubar my desktop on a regular basis! So I created them their own account with limited rights. So

1) Isn't there a way for me to log onto their account and from there log in as admin to make system changes? Or could I set restrictions to their accounts ONLY via my own admin account?

2) I'm toying with GPEDIT.MSC because I want them to have VERY limited access to most things, I.E. desktop settings, taskbar changes, all programs except their games, etc.

Because I couldn't figure out question 1, I change their accounts to admins so I could run gpedit from their logon thinking the changes I made to the "user configuration" would only affect the user that gpedit was running under (in this case the Kids' acct).

Well, I disabled MANY things like the run comand or the folder options and control panel but then when I logged in to my own account the same restrictions applied to me too!

Jam it back in, in the dark.

The reason that happens is that you are not in a Domain environment. That is, your users do not log in under the system Windows server environments use called Active Directory--as you are but one machine, the changes apply globally as you likely noticed (there's only one policy, not like under AD where several OUs, or Organizational Units exist).

To get such a high degree of control, you would need to be using Windows 2000 Server or Advanced Server, or Windows Server 2003 with the Active Directory service online. From there, you can control settings at a per-user level.

As far as the desktop settings, most of those are profile based, if I recall.

Further, if you want to make it so that your brother can't use regedit... we will assume his account name is Jim:

• Open up Explorer, and navigate to \WINDOWS.
• You will see two files here--regedit.exe and regedt32.exe. The following applies to both.
• Right-click, hit Properties.
• Go to the Security tab, and you should see some users/groups shown. Remove the Users setting and Jim if it is set.
• Now, set Users with Full Deny.

Naming of those things might not be exact, but you should be able to find your way around. If you do not have that much information under the Security tab, or lack that tab at all, you may be out of luck as far as this method goes.

Finally, were you asking how to RECOVER from this, or not? Can't tell.

There's nowhere I can't reach.

Thank Duminas, Yup I have recovered from the restrictions I set on myself. While your tip on the registry restriction is handy, its just one ofthe hundred settings I'd like to control... I dont think I have the time to set up that Active Directory stuff...

This thing is sticky, and I don't like it. I don't appreciate it.

Here is my suggestion: Mandatory Profiles

I'm currently experimenting with these atm at work and so far the results have been good.

In a windows environment, you have 3 types of profiles; Local, Roaming and Mandatory.

Each one has its own merits, but for your situation, you could try going with the mandatory approach which means the profile is read-only and any changes they make would not be saved when loggin off.

Altering a profile to become a mandatory profile is a little bit tricky though.

First, create the profile (make it a guest account, this way some of the restrictions are still in place) and log into that profile and configure it until your happy with the settings.

Next, log out of the profile you just configured and log back into your admin account. You need to make both file extensions and hidden files and folders visable to allow them to be edited. Visit the following directory path: " C:\Documents and Settings " and enter the folder (which is the profile) that you made, e.g. Tim.

Lastly, if you have set the settings right, you will be able to see the hidden folders and the following file with the file extension: "NTUSER.DAT " and all you have to do is alter that file to this: " NTUSER.MAN " (it will say you do you really want to alter the extension on this file and yes you do).

Just make sure you DO NOT alter the admin account otherwise all hell will break loose. Log into the account you just changed and see if it works e.g alter the wallpaper, log out, log in and see if it saved it.

Good luck.

I am a dolphin, do you want me on your body?