Link to home
Start Free TrialLog in
Avatar of DarkSnoopy
DarkSnoopy

asked on

Locking an account's group membership

About a month and a half ago I built a new system for my Dad and younger brother to share after the motherboard went on their old one.  I set everything up for them exactly how they each wanted it, since I knew how picky they both are when it comes to the way their desktop and start menu are set up and the options in their various programs.  Anyways, it's XP Pro (as made half obvious by the category I'm posting this in) and my Dad has an account in the admin group and my brother is just in the users group, so it's a "Limited Account".  As with most younger brothers, he has a tendency to do annoying things, and he waits until my Dad leaves the room for a few minutes without logging off and makes himself an administrator as well.  I need a way to stop this because he has a horrible record for installing spyware and getting viruses and causing all sorts of other havoc.  So is there an easy way to keep him from modifying the group he's in?  Any solution would be extremely helpful.
Avatar of dis1931
dis1931
Yes make sure your father locks the computer when he walks away...the only other thing i can think of is using tweakui...it will allow you to hide certain things in the control panel so that they are not available but doesn't block access so it can be accessed another way.  Another way is to set a policy using gpedit...which can be opened by going to Start --> Run --> gpedit.msc --> Click OK.  There are numerous policies limiting the views and access...however since it is a local computer it will apply to all users so be careful...also the local security policy under the administrative tools can prevent some access but i don't think it will help you for this case.  I would suggest making sure the PC is locked if your dad walks away as these tools add complexity and a mistake can cause you to lose access to something you may need sooner or later.

Dis
Avatar of DarkSnoopy
DarkSnoopy

ASKER

I need a way to do what I described above without disabling the "user accounts" portion of the control panel.  My brother isn't knowledgeable enough to find any other way of changing it, such as the local users and groups part of the mmc.  There is no way I can rely on my father to lock the computer every time he walks away from it, as simple as it is, because he shouldn't have to worry about the security of his computer at home so he doesn't, even though he knows what my brother will do.
Avatar of dis1931
dis1931
You can use tweakui to hide this control panel item...it will still be accessible but will not be seen in the control panel unless re-enabled from tweakui...but sooner or later he will learn a way around it.....i did as a child....so will he if he wants to do get around your security...i still suggest locking the computer....even if at home i do always....i have a wife and relatives that are computer illiterate...so if i don't they will break it plain and simple...i let them use it when i am around to at least sort of supervise or answer questions about weird messages and popups...
ASKER CERTIFIED SOLUTION
Avatar of dis1931
dis1931
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial