Solved

XP Pro Stop Local Administrators group been able to change Local Policy setting

Posted on 2004-08-05
11
193 Views
Last Modified: 2013-12-04

Looking to create a system for home use with children, they need to be able to have Administrator level privs to install and run games etc, but they need to be denided to alter the other childrens personal (school) files.

can stop the Administrator Group getting access to files by stoopping Inhenentance and and also stopping the Administrator group being able to take ownership of objects using Local Policy.

but need to be able to Stop Administrators group being able to change local policy and give that ability to anotehr group or specific users, ie the parents.

Or the other soln would be to be able to create a new group that has almost every ability that the administrators group has.

I'm not interested in protecting the OS system, just each childrens and parent files from other users changing or deleting them.

0
Comment
Question by:JustInTime_au
  • 3
  • 2
  • 2
  • +1
11 Comments
 
LVL 11

Expert Comment

by:kabaam
ID: 11731990
There are not different levels of admin accounts for local machines.
Have you tried adding the kids as power users?  They should still be able to install any programs, printers, or device drivers.
Under control panel open admin tools... computer management...local users and groups....groups....power users
add the kids to the power users and remove them from the admin group.
0
 

Author Comment

by:JustInTime_au
ID: 11732210

Power Users are not sufficent to access all the thing like CR buners etc. not sufficen to install Gams without potential problems etc.
0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 11732350
This would be easy if we were running a server here, eh?

I suppose what you could do is to place your children in the admin group, then go to each profile (Docs and Settings) and open the properties of each user (child).  On the security tab, take out the administrators group and only leave the user and System.  Now, there is a way around this, and knowing how smart young ones are nowadays, they may be able to take ownership, but this would require them to do some research...

FE
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 11

Expert Comment

by:kabaam
ID: 11732387
using group policy, you could remove administrators from taking ownership of files or other objects.  But ensure that you add your user accounts BEFORE removing the admin group.
0
 

Author Comment

by:JustInTime_au
ID: 11732485

Yes, can remove the Administrators Group from being able to See into Folders owned by other.

Then you need to Stop the administrator being able to take Ownership so they cannot then change the Folder Permissions, done this using Group Policy, remove administrators group from 'take ownership' priv, make the parent group being able to take ownership.

But how to stop any Administrator Group being able to change Local Policy data, so giving back the ability of Administrators to take ownership and then getting access again to the other Childrens folders and files.

0
 
LVL 40

Accepted Solution

by:
Fatal_Exception earned 250 total points
ID: 11732574
Thus the delimma, eh?  I guess that is what I was referring to in my comment above, that children today are inquisitive and knowledgeable with their computing skills...  I don't think there is a way to password protect the Security Policies...  Whatever you do as the admin, as long as your users have admin priveleges, then they will be able to circumvent it...  But I will think on it some more and perhaps another expert has some idea how to lock down the system..

FE
0
 
LVL 12

Assisted Solution

by:gidds99
gidds99 earned 250 total points
ID: 11757840
If you are using Nero you can allow non admin users to burn CD's using this free tool:

http://www.nero.com/en/631940824944968.html

You should be able to make it very difficult (although not impossible) to change the local policy using a combination of file permissions and policies.   As you can create a restrictive policy and make it very difficult to get round:

http://is-it-true.org/nt/nt2000/atips/atips131.shtml

The above link describes how to exclude your own admin account from the policy.

I dont believe it is possible to achieve what you are trying to do.  The best you can do is make it very difficult for the Kids to get round the restrictions.

Hope this helps.

0
 
LVL 40

Expert Comment

by:Fatal_Exception
ID: 13956069
:)
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
bypass UAC - always notifiy 4 63
suspending the anti virus 6 122
Probleme new certificat SHA256 6 59
How to check which of my products use Blowfish encryption? 5 87
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now