[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 349
  • Last Modified:

How to create another administrator with limited rights



On a stand-alone Windows XP professional machine, I need to allow someone have all the rights of a local adminstrator – with the exception of:
-  being able to remove or disable other user/admin accounts
- prevent them from addding themselves to a higher level admin group that does have these privilages.

How do I set this special group up - where and what options would I change?  

Thanks

va
0
vamail2
Asked:
vamail2
1 Solution
 
kevinf40Commented:
Hi vamail2

You may well be able to achieve what you require by using 'user rights assignment' but this will be rather long winded and need testing.

An easier solution would be to make the user a member of the power users group - this will grant them many rights, although not as many as an administrator minus the two things you mention.  If possible give this a go and see if it the user can work OK.

cheers

K
0
 
vamail2Author Commented:
User or Pwer user will require the same testing.  

Isn't it easier to just make a second admin group and remove a few rights?
0
 
kevinf40Commented:
OK, what may solve your issue is to use 'restricted groups'.

This can be found under the 'Security Templates' mmc snap-in.

Under 'setup security' there is a 'Restricted Groups' option.

Create a group here, make it part of the administrators group and add all the users you want to be administrators to this group.  In this way the user will have administrative rights but will not be able to remove other administrative accounts.

The other option I suggested - using user rights assignment can also be found in this snap in so I thought I'd re-visit it - creating a power user and then adding any rights required for the user to do their job would be a possible solution.

cheers

K
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
vamail2Author Commented:
Having a little trouble with the steps -

"Create a group here, make it part of the administrators group and ...."

I created a a group called "AdminRestricted" - Where and exactly how do I make a group part of the administrators group.  I even tried creating it and under Local Users and Groups - but I don't see it listed when I use any options to add it to the administrators group

"The other option I suggested - using user rights assignment can also be found in this snap in so I thought I'd re-visit it - creating a power user and then adding any rights required for the user to do their job would be a possible solution."

Think of what happens when you go to install sofwtare and the instructions say "you must be a local admin on the machine".  Can you imagine how much tweaking of the "power user" I'd have to change?  

0
 
kevinf40Commented:
Hi Vamail2

Sorry I sound have explained with more clarity.

Within the mmc, where you created the restricted group right click on it and select properties.  A window should then appear where youcan add users to that group and specify which computer groups that user is a member of.


To answer your second point - yes it will be more work, and realistically running as a non administrator can be a pain if you are allowed to installed software etc, BUT if you add someone to the administrators group if they really want to the will be able to circumvent most restrictions you try to apply as they are an admin....
0
 
ashburyCommented:

U can try Power User groups
0
 
vamail2Author Commented:
>>Within the mmc, where you created the restricted group right click
Okay this worked

>>on it and select properties.  A window should then appear where youcan add users to that group
And this worked


>>and specify which computer groups that user is a member of.

This is what fails.  It does not list any other groups or users even when I click on that lower box's properties, and search for "security objects" Nothing..

0
 
Stuart OramCommented:
My opinion is that the easiest option would be to set security on the lusrmgr.msc and userpasswords(2) elements of control panel to deny this particular user access to those admin applications.
0
 
vamail2Author Commented:
Great idea except that If they created a copy from their own machine  and renamed it "whatever.msc" then they could still make changes - right?
0
 
cduke250Commented:
If I were you I would instead create a limited access user and then use the "runas" command to let them perform certain administrative tasks that you allow.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now