Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Windows 2000 Professional setup for 40 identical users on one workstation without a domain.

Posted on 2004-08-08
Medium Priority
Last Modified: 2010-04-14
I need to set up 40 identical users on a Win 2000 workstation that has no domain.  This workstation will eventually be ghosted to about 20 additional machines in a middle school environment.  Here is what I need:

(1) Users should have no priveleges to install software or make major changes to the machine. (USER / GUEST)???
(2) All users will have the same wallpaper, favorites, screensaver, desktop, home page ,etc.
(3) It is extremely important that the user has no power to change the wallpaper, favorites, screensaver, desktop, home page ,etc.
(4) I would prefer not to use "protection" software like Fortres or Foolproof unless it is absolutely necessary
(5) Every user will use "My Documents" to save their individual work, hence I believe a mandatory profile can not be used.  No solution which wipes the user Documents and Settings folder is acceptable.
(6) I'm looking a solution that doesn't require a ton of copying and pasting stuff in the Documents and Settings folder.
(7) If there are any small W2K utilities that perform this task that would be ideal.

In addition,  I am open to any software that is ideal for a middle school classroom environment where students are limited to make the changes I specified in (3), but still giving students power to "explore".  The more detailed a solution, the more likely I will be to give away the points to one unique expert.  Thank you for your help.
Question by:jschreiber69
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2

Author Comment

ID: 11749617
Sorry privileges was misspelled. I'm not an English teacher, thank God.

Expert Comment

ID: 11750384
all you need is to create user account. as user you have privileges on My Documments older but you can not install programs, mess around control panel, or change desktop settings.
I order to fine tune all security settings you can use Security policies.

Expert Comment

ID: 11750860
you need domain environment, install win2K on any PC and make it Domain controller by Dcpromo
add PCs to new domain and create users
add domain users (or the users you created) into power users group on PCs.
and make restriction by using default domain policy. (start-programs-admin tools - default domain policy)
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.


Expert Comment

by:Nabeeh ElDardery
ID: 11751054
Kindly find my comments for your points

(1) when creating the user accounts, do not add them to any group, just leave them with the default group (Users) to prevent them from installing any software
(2) logon with normal account and configure all your desktop settings (wallpaper and so on) + Redirect My Documents Folder to another location using %user_name% variable  
then logon with another acount to copy the first Profile under documents and settings to All Users Profile (All users will have the same desktop settings) then rename the file under C:\Documents and Settings\All Users\NTUSER.DAT to NTUSER.MAN (Mandatory Profile)
(3) Yes, the use can not change the desktop settings
(4) No protection software
(5) Everyone should has his own My Documents folder
(6) no copying of profiles
(7) Mentioned steps is the tool


Author Comment

ID: 11751885
Eldardery,  in your step (2), if I redirect My Documents Folder to another location, where can I put it so other users can not access it and keep it secure (no students from 3rd period copying 1st period work)?   If you can explain your step (2) as detailed as possible (remember I have no domain)  and it works, I will award you the points.  Thanks.

Expert Comment

ID: 11752084
if you create simple user (restricted) it will have his own My Documments folder. I don't understand why should he redirect this folder to another location.
He only needs to create user account and that should be enough. everyone will login to this account and work in it. only thing he should do is to disable shutdown/restart to that account to prevent booting with another OS (knoppix). if that is enabled for user profile nothing will prevent someone to boot from CD and take control of computer with another OS.
LVL 14

Accepted Solution

dlwyatt82 earned 2000 total points
ID: 11753193
Many of the previous comments clearly did not read jschreiber's requirements - he plans to have 40 individual user accounts (with separate My Documents folders, each secured against access by other users).

jschreiber, I would recommend the following steps:

First, modify the default permissions on your drives. On a Windows 2000 Professional PC, odds are they are set to Full Control for Everyone by default. To change this, log on as the Administrator account and perform the following steps:

1) In My Computer, Right click on your C:\ drive, select Properties.
2) Click the Security tab.
3) Click Add
4) From the list of available users or groups, select the group named "Users", click Add, and click OK.
5) This new entry should have "Read&Execute", "List Folder Contents", and "Read" permissions checked by default. Leave these settings.
6) Click Add again.
7) This time, select the Administrators group.
8) Allow Full Control for Administrators.
9) Highlight "Everyone", and click Remove.
10) Click OK.

This will secure the hard drive from tampering and prepare for the steps which follow. At this point, you should verify that each user profile in "c:\documents and settings" still has the correct permissions (The Administrators group, possibly the SYSTEM account, and each individual user should have Full Control rights to their own profile folder. The Everyone and/or Users grops should NOT be present in the Access Control List for profile directories within Documents and Settings).

Next, configure Group Policy to enforce the system settings you mentioned, as follows:

1) Select Run from the start menu, and type "gpedit.msc". This opens the Group Policy MMC snap-in.
2) Configure the policies you want to enforce - the types of policies you described (Internet Explorer options, Desktop wallpaper, etc) can be found in the Administrative Templates section under User Configuration. Experiment with these a bit to get a feel for what you would like to configure via Policies. Feel free to post more questions about Group Policy here if you would like some more info.

Now, you are ready to create the user accounts for your students. When creating these accounts, make sure they are only members of the Users group. They will automatically have a profile directory created which gives them a My Documents folder which only they (and you, as the system Administrator) have access to.
LVL 14

Expert Comment

ID: 11753252
One other area you'll want to view in the Group Policy snap-in is User Configuration -> Windows Settings -> Internet Explorer Maintenance. This is where you can configure policies to enforce Favorites, Home Page, etc (in the URLs section).

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What we learned in Webroot's webinar on multi-vector protection.
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA:…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question