Preventing access to Games and Admin Tools within Windows 2000 Pro


How can i prevent members of my staff from playing the games that come with Windows 2000 Pro and accessing the Admin tools. All members of staff will have Power User rights only. This is because some apps will not be fully functional within local user rights only.

Many Thanx

Who is Participating?
st_steveConnect With a Mentor Commented:
If you're just running Win2k pro clients, you can use "Local Computer Policy" using MMC,

Start, Run, MMC
Click on "Console", Add/Remove Snapin, Click on Add, add "Group Policy" and accept the default value of Local Computer. Then you can set the policies using that snapin.

You'll have to do this on every Win2k computer, since you don't have a server to propagate the policies. You can save that MMC to a file and run this on each machine.
Is there a reason why the apps you mention can't run if your staff is in the regular Users group?  I mean, unless the app does some stuff with the hardware or other tasks which go beyond the realm of normal Users, you should be able to just give them the necessary permissions to the areas of the file system required by the app and go from there...?

Regarding the games and administrative tools; for the games, you can uninstall them, and restrict the users' access to the Windows 2000 installation files so that they can't reinstall them.  For the admin tools, I believe you can use policies to restrict access to these.

Here's a link:
I would suggest giving them simple User Priv, but add the option for elevated install rights as shown below.

Allow users to always install with System privileges. Administrator priv

 Windows 2000 has an Always install with elevated privileges Group Policy, that directs Windows Installer to always use System permissions when installing a program.

 I quote the Resource Kit:

 This policy extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned
 to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add/Remove Programs
 in Control Panel. This policy lets users install programs which require access to directories that the user might not have permission to
 view or change, including directories on highly restricted computers.

 Skilled users can take advantage of the permissions this entry grants to change their permissions and gain permanent access to
 restricted files and folders. Note that the User Configuration version of this entry is not guaranteed to be secure.

 This policy can be implemented at Computer Configuration\Administrative Templates\Windows Components\Windows
 Installer or User Configuration\Administrative Templates\Windows Components\Windows Installer.

 When enabled, Windows Installer defaults to using System privileges for the effected users' or computers' install.

 When I enabled the policy in Computer Configuration, it did an Add Value name AlwaysInstallElevated, as a
 REG_DWORD data type, and set the data value to 1, at the following keys:


 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

 HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalMachine\Software\Policies\Microsoft\Windows\Installer

I hope this helps !
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

NotoriousAuthor Commented:

1. The reason for me giving my users Local Power User rights on the Win2kPro clients is because if they had Local User rights they would not be able to use the spell checker within Ms Office 97. It would be greyed out.

2. How would i go about uninstalling the games that come with Win2kPro? When i go within ADD/REMOVE Windows Components within Control Panel, I do not see an option to uninstall the games.

3. Correct me if i am wrong, but in order for me to use Group policies i have to use Active Directory. However i am only running Win2kPro clients within an Win NT4.0 environment with Win NT Servers not win2k servers?

P.S. Sorry for not mentioning this earlier



Adam LeinssSenior Desktop EngineerCommented:
Locate the file SYSOC.INF in C:\winnt\inf.

Remove the keyword HIDE from the following lines:


Now they should show up in the Add/Remove applet.  In terms of policies, I believe you are right, there is no way of enforcing rights locally without also restricting the administrator and I think that is done with AD as you said.
Well this is certainly the hard way, but it will work.  In your future WS build reset the acls on the admin tool executables to only allow administrators.  
NotoriousAuthor Commented:
How would i reset the acls on the admin tool executables to only allow administrators?


Go to each executable, right click, select properties - security tab.  Remove all listings except the local administrators group.
If you need to know what the .exe names are, just right click on the shortcuts, select properties.  The shortcut tab will have a dialog marked Target, which is the path to the .exe.
NotoriousAuthor Commented:
Thanks very much st steve. Brilliant response. Many thanks to ocon827679.

Hi "Notorious"

Glad I could help, and thanks for the A grade :)
Just a final note about the games...they are under the Accessories heading.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.