Solved

Preventing access to Games and Admin Tools within  Windows 2000 Pro

Posted on 2002-07-08
11
195 Views
Last Modified: 2010-04-13
Hi,

How can i prevent members of my staff from playing the games that come with Windows 2000 Pro and accessing the Admin tools. All members of staff will have Power User rights only. This is because some apps will not be fully functional within local user rights only.

Many Thanx

Notorious....
0
Comment
Question by:Notorious
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 6

Expert Comment

by:Zoplax
ID: 7138057
Is there a reason why the apps you mention can't run if your staff is in the regular Users group?  I mean, unless the app does some stuff with the hardware or other tasks which go beyond the realm of normal Users, you should be able to just give them the necessary permissions to the areas of the file system required by the app and go from there...?

Regarding the games and administrative tools; for the games, you can uninstall them, and restrict the users' access to the Windows 2000 installation files so that they can't reinstall them.  For the admin tools, I believe you can use policies to restrict access to these.

Here's a link:

http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 7138127
I would suggest giving them simple User Priv, but add the option for elevated install rights as shown below.
--------------------

Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:

 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

I hope this helps !
0
 

Author Comment

by:Notorious
ID: 7138325

1. The reason for me giving my users Local Power User rights on the Win2kPro clients is because if they had Local User rights they would not be able to use the spell checker within Ms Office 97. It would be greyed out.

2. How would i go about uninstalling the games that come with Win2kPro? When i go within ADD/REMOVE Windows Components within Control Panel, I do not see an option to uninstall the games.

3. Correct me if i am wrong, but in order for me to use Group policies i have to use Active Directory. However i am only running Win2kPro clients within an Win NT4.0 environment with Win NT Servers not win2k servers?

P.S. Sorry for not mentioning this earlier

Regards

Notorious........

0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 7138944
Locate the file SYSOC.INF in C:\winnt\inf.

Remove the keyword HIDE from the following lines:

Games=ocgen.dll,OcEntry,games.inf,HIDE,7
Pinball=ocgen.dll,OcEntry,pinball.inf,HIDE,7

Now they should show up in the Add/Remove applet.  In terms of policies, I believe you are right, there is no way of enforcing rights locally without also restricting the administrator and I think that is done with AD as you said.
0
 
LVL 6

Accepted Solution

by:
st_steve earned 100 total points
ID: 7139108
If you're just running Win2k pro clients, you can use "Local Computer Policy" using MMC,

Start, Run, MMC
Click on "Console", Add/Remove Snapin, Click on Add, add "Group Policy" and accept the default value of Local Computer. Then you can set the policies using that snapin.

You'll have to do this on every Win2k computer, since you don't have a server to propagate the policies. You can save that MMC to a file and run this on each machine.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 13

Expert Comment

by:ocon827679
ID: 7140485
Well this is certainly the hard way, but it will work.  In your future WS build reset the acls on the admin tool executables to only allow administrators.  
0
 

Author Comment

by:Notorious
ID: 7145624
How would i reset the acls on the admin tool executables to only allow administrators?

Regards

Notorious........
0
 
LVL 13

Expert Comment

by:ocon827679
ID: 7145792
Go to each executable, right click, select properties - security tab.  Remove all listings except the local administrators group.
If you need to know what the .exe names are, just right click on the shortcuts, select properties.  The shortcut tab will have a dialog marked Target, which is the path to the .exe.
0
 

Author Comment

by:Notorious
ID: 7148481
Thanks very much st steve. Brilliant response. Many thanks to ocon827679.

Notorious.......
0
 
LVL 6

Expert Comment

by:st_steve
ID: 7150269
Hi "Notorious"

Glad I could help, and thanks for the A grade :)
0
 

Expert Comment

by:cattypus1
ID: 9033511
Just a final note about the games...they are under the Accessories heading.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now