JustInTime_au
asked on
XP Pro Stop Local Administrators group been able to change Local Policy setting
Looking to create a system for home use with children, they need to be able to have Administrator level privs to install and run games etc, but they need to be denided to alter the other childrens personal (school) files.
can stop the Administrator Group getting access to files by stoopping Inhenentance and and also stopping the Administrator group being able to take ownership of objects using Local Policy.
but need to be able to Stop Administrators group being able to change local policy and give that ability to anotehr group or specific users, ie the parents.
Or the other soln would be to be able to create a new group that has almost every ability that the administrators group has.
I'm not interested in protecting the OS system, just each childrens and parent files from other users changing or deleting them.
ASKER
Power Users are not sufficent to access all the thing like CR buners etc. not sufficen to install Gams without potential problems etc.
This would be easy if we were running a server here, eh?
I suppose what you could do is to place your children in the admin group, then go to each profile (Docs and Settings) and open the properties of each user (child). On the security tab, take out the administrators group and only leave the user and System. Now, there is a way around this, and knowing how smart young ones are nowadays, they may be able to take ownership, but this would require them to do some research...
FE
I suppose what you could do is to place your children in the admin group, then go to each profile (Docs and Settings) and open the properties of each user (child). On the security tab, take out the administrators group and only leave the user and System. Now, there is a way around this, and knowing how smart young ones are nowadays, they may be able to take ownership, but this would require them to do some research...
FE
using group policy, you could remove administrators from taking ownership of files or other objects. But ensure that you add your user accounts BEFORE removing the admin group.
ASKER
Yes, can remove the Administrators Group from being able to See into Folders owned by other.
Then you need to Stop the administrator being able to take Ownership so they cannot then change the Folder Permissions, done this using Group Policy, remove administrators group from 'take ownership' priv, make the parent group being able to take ownership.
But how to stop any Administrator Group being able to change Local Policy data, so giving back the ability of Administrators to take ownership and then getting access again to the other Childrens folders and files.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried adding the kids as power users? They should still be able to install any programs, printers, or device drivers.
Under control panel open admin tools... computer management...local users and groups....groups....power users
add the kids to the power users and remove them from the admin group.