Preventing access to Games and Admin Tools within  Windows 2000 Pro

Posted on 2002-07-08
Medium Priority
Last Modified: 2010-04-13

How can i prevent members of my staff from playing the games that come with Windows 2000 Pro and accessing the Admin tools. All members of staff will have Power User rights only. This is because some apps will not be fully functional within local user rights only.

Many Thanx

Question by:Notorious
  • 3
  • 2
  • 2
  • +4

Expert Comment

ID: 7138057
Is there a reason why the apps you mention can't run if your staff is in the regular Users group?  I mean, unless the app does some stuff with the hardware or other tasks which go beyond the realm of normal Users, you should be able to just give them the necessary permissions to the areas of the file system required by the app and go from there...?

Regarding the games and administrative tools; for the games, you can uninstall them, and restrict the users' access to the Windows 2000 installation files so that they can't reinstall them.  For the admin tools, I believe you can use policies to restrict access to these.

Here's a link:

LVL 63

Expert Comment

ID: 7138127
I would suggest giving them simple User Priv, but add the option for elevated install rights as shown below.

Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:


 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

I hope this helps !

Author Comment

ID: 7138325

1. The reason for me giving my users Local Power User rights on the Win2kPro clients is because if they had Local User rights they would not be able to use the spell checker within Ms Office 97. It would be greyed out.

2. How would i go about uninstalling the games that come with Win2kPro? When i go within ADD/REMOVE Windows Components within Control Panel, I do not see an option to uninstall the games.

3. Correct me if i am wrong, but in order for me to use Group policies i have to use Active Directory. However i am only running Win2kPro clients within an Win NT4.0 environment with Win NT Servers not win2k servers?

P.S. Sorry for not mentioning this earlier



Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

LVL 22

Expert Comment

by:Adam Leinss
ID: 7138944
Locate the file SYSOC.INF in C:\winnt\inf.

Remove the keyword HIDE from the following lines:


Now they should show up in the Add/Remove applet.  In terms of policies, I believe you are right, there is no way of enforcing rights locally without also restricting the administrator and I think that is done with AD as you said.

Accepted Solution

st_steve earned 400 total points
ID: 7139108
If you're just running Win2k pro clients, you can use "Local Computer Policy" using MMC,

Start, Run, MMC
Click on "Console", Add/Remove Snapin, Click on Add, add "Group Policy" and accept the default value of Local Computer. Then you can set the policies using that snapin.

You'll have to do this on every Win2k computer, since you don't have a server to propagate the policies. You can save that MMC to a file and run this on each machine.
LVL 13

Expert Comment

ID: 7140485
Well this is certainly the hard way, but it will work.  In your future WS build reset the acls on the admin tool executables to only allow administrators.  

Author Comment

ID: 7145624
How would i reset the acls on the admin tool executables to only allow administrators?


LVL 13

Expert Comment

ID: 7145792
Go to each executable, right click, select properties - security tab.  Remove all listings except the local administrators group.
If you need to know what the .exe names are, just right click on the shortcuts, select properties.  The shortcut tab will have a dialog marked Target, which is the path to the .exe.

Author Comment

ID: 7148481
Thanks very much st steve. Brilliant response. Many thanks to ocon827679.


Expert Comment

ID: 7150269
Hi "Notorious"

Glad I could help, and thanks for the A grade :)

Expert Comment

ID: 9033511
Just a final note about the games...they are under the Accessories heading.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This holiday season, we’re giving away the gift of knowledge—tech knowledge, that is. Keep reading to see what hacks, tips, and trends we have wrapped and waiting for you under the tree.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses
Course of the Month15 days, 6 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question