• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1809
  • Last Modified:

How do I prevent Users from making changes to their User Profile?

I have created differant User Accounts on my kids Laptop running XP SP2 in a workgroup,each account has a differant profile,permissions,restrictions and settings.
I dont want them to be able to make any changes to their profile on the local computer.
I tried editting the Local Computer Policy (gpedit.msc) User Configuration/Administrative Templates but any changes made that way apply to ALL users including the Administrators Group
0
ASE1
Asked:
ASE1
2 Solutions
 
mikeleebrlaCommented:
what you want is what is called a manditory profile.  See the link below on how to set it up:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307800&sd=tech
0
 
jazz250Commented:
Go to Administrative Tools/Computer Management/Expand the Local User and Groups folder. Expand the Users folder. Right click on the Users folder and select New User. create a user named Defuser. Logout of the Administrator account and login to the new defuser account. Immediately logout of the defuser account and log back in to the Administrator account. Go back to Administrative Tools/Computer Management/Expand the Local User and Groups folder. Expand the Users folder. Double click on the new user Defuser. Go to the profiles tab. In the Profile Path section type in X:\WINDOWS\All Users\Defuser (where X is the system drive letter. Usually C:\). Click OK and then close Computer Management.

Right click My Computer and select Properties from the menu then the advanced Tab/user profiles settings button. Scroll down the list and locate the user Defuser. Click on it (to highlight it) and select the Copy To button. In the Copy Profile To section, type in X:\WINDOWS\All Users\Defuser (where X is the system drive letter. Usually C:\). In the Permitted To Use section, click the Change button and type in the words Authenticated Users. Click the Checknames button then click Ok. Click Ok again.
Navigate to the X:\WINDOWS\All Users\Defuser folder. Right click on the ntuser.dat file and select rename from the menu. Rename the file to ntuser.man


Re-Cap

The steps above just created a mandatory user profile named DefUser. Any new or existing user that is assigned to Defuser profile cannot save any changes to the desktop or user environment. Each time the user logs off the changes are discarded. This implementation allows for a uniform desktop among designated users but not necessarily all users of the machine.



Assigning the Defuser User Profile to any new user

Example:

Go to Administrative Tools/Computer Management/Expand the Local User and Groups folder. Expand the Users folder. Right click on the Users folder and select New User. create a user named User1. Double click (in the right hand pane) on the new user User1. Go to the profiles tab. In the Profile Path section type in X:\WINDOWS\All Users\Defuser (where X is the system drive letter. Usually C:\).

When User1 logs in he/she will inherit the ntuser.man file in the X:\WINDOWS\All Users\Defuser folder.



Assigning the Defuser User Profile to any existing user

Example: Existing user is User2

Go to Administrative Tools/Computer Management/Expand the Local User and Groups folder.

In the right hand pane, double click on User2. Go to the profiles tab. In the Profile Path section type in X:\WINDOWS\All Users\Defuser (where X is the system drive letter. Usually C:\).

When User2 logs in he/she will inherit the ntuser.man file in the X:\WINDOWS\All Users\Defuser folder.

0
 
mikeleebrlaCommented:
opps,, after posting that link i noticed that that version is on how to set up manditory profiles on a server instead of locally.  All you need to do in your case is skip to step 7 below:

7. Rename Ntuser.dat to Ntuser.man.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ASE1Author Commented:
Thanks for the advice guys,but creating a Mandatory Profile will still allow a user to make changes to their profile, only these changes are not saved when the user logs off.
I don't want my kids to make any changes to their desktop and also not to be able to have access to certain programs which I can do by editting User Configuration/Administrative Templates but each user needs to have differant permissions and restrictions and when I edit the User Configuration/Administrative Templates any changes made are applied to ALL Users.
I also have another question: I thought that a Local Profile can not be made Mandatory only a Roaming Profile can be made Madatory.
0
 
mikeleebrlaCommented:
i would try editing the NTFS persmission on the C:\docs and settings\username\desktop\ folder so they can't created or edit files there although iver never tested it.  Yes you can have manditory profiles in a local environment.  All you do is change ntuser.dat to ntuser.man.  it doens't matter if the profile is stored locally or on a network. making this change means that profile changes aren't saved regardless of their location.
0
 
luv2smileCommented:
As for local policy......You can't have multiple local policies (unlike in a domain where you can have as many as you wish). There is only one local policy per computer.

What you can do is exclude the administrator group from receiving the policy. You would make sure your children are not local admins. Then change the ntfs permissions on the policy folder to not allow the admin group (or other group/user) to have read access to the policy. If a user doesn't have read access to a policy then they won't receive it's settings.

That's the best you're going to be able to do with local policy...it is all or nothing...the only work around is to filter out accounts.

http://www.jsifaq.com/sube/tip2400/rh2492.htm
0
 
IanThCommented:
yes if you change thier permissions in their username folder in docs and settings to read

also look in local security settings

run secpol.msc
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Create a roaming profile or convert from local to roaming so you can apply the policy settings
Converting is not that easy, but if you decided to do that then i'll help.
0
 
senadCommented:
Or why dont you just make them "limited" users?
This way they cant screw up anything for sure...
0
 
ASE1Author Commented:
Thanks for all the help so far, Its going to take some time for me to try and see if I can get your suggestions to work for me.
I was wondering if there is a third party program out there that will enable me to acheive the results faster and easier.
As a quick reminder, I want to prevent some differant users on the same local computer from MAKING changes to their desktops
and on the other hand give other users the right to make those changes, with a Roaming Profile the users I want to prevent from making any changes, can still Make changes, but their changes are not saved.
I also want to prevent SOME Users from accessing MY Computer,My Documents the Run Command and so on...
0
 
mikeleebrlaCommented:
senad,, regular user accounts can change their own desktop settings to whatever they would like by default.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now