Preventing access to Games and Admin Tools within  Windows 2000 Pro

Posted on 2002-07-08
Medium Priority
Last Modified: 2010-04-13

How can i prevent members of my staff from playing the games that come with Windows 2000 Pro and accessing the Admin tools. All members of staff will have Power User rights only. This is because some apps will not be fully functional within local user rights only.

Many Thanx

Question by:Notorious
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4

Expert Comment

ID: 7138057
Is there a reason why the apps you mention can't run if your staff is in the regular Users group?  I mean, unless the app does some stuff with the hardware or other tasks which go beyond the realm of normal Users, you should be able to just give them the necessary permissions to the areas of the file system required by the app and go from there...?

Regarding the games and administrative tools; for the games, you can uninstall them, and restrict the users' access to the Windows 2000 installation files so that they can't reinstall them.  For the admin tools, I believe you can use policies to restrict access to these.

Here's a link:

LVL 63

Expert Comment

ID: 7138127
I would suggest giving them simple User Priv, but add the option for elevated install rights as shown below.

Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:


 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

I hope this helps !

Author Comment

ID: 7138325

1. The reason for me giving my users Local Power User rights on the Win2kPro clients is because if they had Local User rights they would not be able to use the spell checker within Ms Office 97. It would be greyed out.

2. How would i go about uninstalling the games that come with Win2kPro? When i go within ADD/REMOVE Windows Components within Control Panel, I do not see an option to uninstall the games.

3. Correct me if i am wrong, but in order for me to use Group policies i have to use Active Directory. However i am only running Win2kPro clients within an Win NT4.0 environment with Win NT Servers not win2k servers?

P.S. Sorry for not mentioning this earlier



Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

LVL 22

Expert Comment

by:Adam Leinss
ID: 7138944
Locate the file SYSOC.INF in C:\winnt\inf.

Remove the keyword HIDE from the following lines:


Now they should show up in the Add/Remove applet.  In terms of policies, I believe you are right, there is no way of enforcing rights locally without also restricting the administrator and I think that is done with AD as you said.

Accepted Solution

st_steve earned 400 total points
ID: 7139108
If you're just running Win2k pro clients, you can use "Local Computer Policy" using MMC,

Start, Run, MMC
Click on "Console", Add/Remove Snapin, Click on Add, add "Group Policy" and accept the default value of Local Computer. Then you can set the policies using that snapin.

You'll have to do this on every Win2k computer, since you don't have a server to propagate the policies. You can save that MMC to a file and run this on each machine.
LVL 13

Expert Comment

ID: 7140485
Well this is certainly the hard way, but it will work.  In your future WS build reset the acls on the admin tool executables to only allow administrators.  

Author Comment

ID: 7145624
How would i reset the acls on the admin tool executables to only allow administrators?


LVL 13

Expert Comment

ID: 7145792
Go to each executable, right click, select properties - security tab.  Remove all listings except the local administrators group.
If you need to know what the .exe names are, just right click on the shortcuts, select properties.  The shortcut tab will have a dialog marked Target, which is the path to the .exe.

Author Comment

ID: 7148481
Thanks very much st steve. Brilliant response. Many thanks to ocon827679.


Expert Comment

ID: 7150269
Hi "Notorious"

Glad I could help, and thanks for the A grade :)

Expert Comment

ID: 9033511
Just a final note about the games...they are under the Accessories heading.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question