Solved

Locking an account's group membership

Posted on 2004-08-24
4
151 Views
Last Modified: 2013-12-04
About a month and a half ago I built a new system for my Dad and younger brother to share after the motherboard went on their old one.  I set everything up for them exactly how they each wanted it, since I knew how picky they both are when it comes to the way their desktop and start menu are set up and the options in their various programs.  Anyways, it's XP Pro (as made half obvious by the category I'm posting this in) and my Dad has an account in the admin group and my brother is just in the users group, so it's a "Limited Account".  As with most younger brothers, he has a tendency to do annoying things, and he waits until my Dad leaves the room for a few minutes without logging off and makes himself an administrator as well.  I need a way to stop this because he has a horrible record for installing spyware and getting viruses and causing all sorts of other havoc.  So is there an easy way to keep him from modifying the group he's in?  Any solution would be extremely helpful.
0
Comment
Question by:DarkSnoopy
  • 3
4 Comments
 
LVL 10

Expert Comment

by:dis1931
ID: 11889526
Yes make sure your father locks the computer when he walks away...the only other thing i can think of is using tweakui...it will allow you to hide certain things in the control panel so that they are not available but doesn't block access so it can be accessed another way.  Another way is to set a policy using gpedit...which can be opened by going to Start --> Run --> gpedit.msc --> Click OK.  There are numerous policies limiting the views and access...however since it is a local computer it will apply to all users so be careful...also the local security policy under the administrative tools can prevent some access but i don't think it will help you for this case.  I would suggest making sure the PC is locked if your dad walks away as these tools add complexity and a mistake can cause you to lose access to something you may need sooner or later.

Dis
0
 
LVL 1

Author Comment

by:DarkSnoopy
ID: 11889692
I need a way to do what I described above without disabling the "user accounts" portion of the control panel.  My brother isn't knowledgeable enough to find any other way of changing it, such as the local users and groups part of the mmc.  There is no way I can rely on my father to lock the computer every time he walks away from it, as simple as it is, because he shouldn't have to worry about the security of his computer at home so he doesn't, even though he knows what my brother will do.
0
 
LVL 10

Expert Comment

by:dis1931
ID: 11889751
You can use tweakui to hide this control panel item...it will still be accessible but will not be seen in the control panel unless re-enabled from tweakui...but sooner or later he will learn a way around it.....i did as a child....so will he if he wants to do get around your security...i still suggest locking the computer....even if at home i do always....i have a wife and relatives that are computer illiterate...so if i don't they will break it plain and simple...i let them use it when i am around to at least sort of supervise or answer questions about weird messages and popups...
0
 
LVL 10

Accepted Solution

by:
dis1931 earned 125 total points
ID: 11889759
There is no way to lock the group he is in...this would be to lock out the administrator as well as he is using the admin account.  You can hide ways to get to it that is all.  There are ways to do this via script on a domain and probably locally so that group memberships are checked and changed on login...etc...but still it will allow himk to change it and do damage until the script runs again....and after the spyware and adware is present....
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now