Solved

Locking an account's group membership

Posted on 2004-08-24
4
152 Views
Last Modified: 2013-12-04
About a month and a half ago I built a new system for my Dad and younger brother to share after the motherboard went on their old one.  I set everything up for them exactly how they each wanted it, since I knew how picky they both are when it comes to the way their desktop and start menu are set up and the options in their various programs.  Anyways, it's XP Pro (as made half obvious by the category I'm posting this in) and my Dad has an account in the admin group and my brother is just in the users group, so it's a "Limited Account".  As with most younger brothers, he has a tendency to do annoying things, and he waits until my Dad leaves the room for a few minutes without logging off and makes himself an administrator as well.  I need a way to stop this because he has a horrible record for installing spyware and getting viruses and causing all sorts of other havoc.  So is there an easy way to keep him from modifying the group he's in?  Any solution would be extremely helpful.
0
Comment
Question by:DarkSnoopy
  • 3
4 Comments
 
LVL 10

Expert Comment

by:dis1931
ID: 11889526
Yes make sure your father locks the computer when he walks away...the only other thing i can think of is using tweakui...it will allow you to hide certain things in the control panel so that they are not available but doesn't block access so it can be accessed another way.  Another way is to set a policy using gpedit...which can be opened by going to Start --> Run --> gpedit.msc --> Click OK.  There are numerous policies limiting the views and access...however since it is a local computer it will apply to all users so be careful...also the local security policy under the administrative tools can prevent some access but i don't think it will help you for this case.  I would suggest making sure the PC is locked if your dad walks away as these tools add complexity and a mistake can cause you to lose access to something you may need sooner or later.

Dis
0
 
LVL 1

Author Comment

by:DarkSnoopy
ID: 11889692
I need a way to do what I described above without disabling the "user accounts" portion of the control panel.  My brother isn't knowledgeable enough to find any other way of changing it, such as the local users and groups part of the mmc.  There is no way I can rely on my father to lock the computer every time he walks away from it, as simple as it is, because he shouldn't have to worry about the security of his computer at home so he doesn't, even though he knows what my brother will do.
0
 
LVL 10

Expert Comment

by:dis1931
ID: 11889751
You can use tweakui to hide this control panel item...it will still be accessible but will not be seen in the control panel unless re-enabled from tweakui...but sooner or later he will learn a way around it.....i did as a child....so will he if he wants to do get around your security...i still suggest locking the computer....even if at home i do always....i have a wife and relatives that are computer illiterate...so if i don't they will break it plain and simple...i let them use it when i am around to at least sort of supervise or answer questions about weird messages and popups...
0
 
LVL 10

Accepted Solution

by:
dis1931 earned 125 total points
ID: 11889759
There is no way to lock the group he is in...this would be to lock out the administrator as well as he is using the admin account.  You can hide ways to get to it that is all.  There are ways to do this via script on a domain and probably locally so that group memberships are checked and changed on login...etc...but still it will allow himk to change it and do damage until the script runs again....and after the spyware and adware is present....
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question