Solved

Limiting user privileges in Win XP PRO

Posted on 2011-02-19
6
465 Views
Last Modified: 2012-05-11
Hello,
 
We would like to limit the capabilities of user's on their Win XP Pro workstations.  Unfortunately we have  all accounts set to run as admins since creating "limited" user accounts causes problems w/ our network run (Win 2008) Medical Billing/Admin Program.

Can anyone recommend a program or template that would help us set local policies for each workstation?  Is there a server solution or must this be done per workstation?

Thanks so much,
Mike
0
Comment
Question by:jumptohigh
  • 2
  • 2
  • 2
6 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 34933641
Setting the users' as admins is the issue. You need to determine the lowest most rights the local user needs to have to work with the application.
The server is not an issue.
See whether limiting the users to being power users will still let the users perform their work with the application.

If you have a test workstation where you can test that will be optimal, i.e. add the user as a limited domain user.
See what issues they have when using the software.
Then use a GPO with user rights assignment to add additional rights the user needs for the application to run on the system.
Once you accomplish this, you can put the users into an OU and apply these GPOs to all the users while removing them from the local admin group.
0
 

Author Comment

by:jumptohigh
ID: 34933983
Hi Arnold,

Thank you for the reply.  I'm so sorry, I neglected to mention that we are using the server merely in workgroup mode... AD is not installed.

Thanks,
Mike
0
 
LVL 3

Expert Comment

by:thomasd04
ID: 34934382
Hi jumptohigh. For most settings I believe you can copy the contents of the configured workstation %systemroot%\system32\grouppolicy\ to the target workstation. Some other security settings can be exported with the secedit tool.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 76

Expert Comment

by:arnold
ID: 34934673
You have to determine what are the base user rights needed for use with this application and add them versus giving the users admin rights and then trying to pare them back.
Why are you not using an AD which will provide from a central management interface.
0
 
LVL 3

Accepted Solution

by:
thomasd04 earned 500 total points
ID: 34937319
It also sounds like your objective is to be able to manage these policies without having to go to each workstation. Because you are not running AD you'll have to get a little creative.
Here's one idea. Use poledit.exe to create the policy file (Ntconfig.pol). You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs. By default, clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on. In this way, you only have to modify one policy at one location and it will affect all of your workstations.

My other idea would be to use logon scripts. This would be a very powerful method as you could control virtually anything you wanted by script. And to centralize it, you would have the script call scripts from a central location that you could easily manage.

BTW. Giving users admin privileges is never a good idea and most times you can find ways around it. There are many tool out there that you can use to get your custom programs to work without giving the users administrative access. Google these tools:

SU.EXE in the Windows 2000 Resource Kit

Good luck!!
0
 

Author Closing Comment

by:jumptohigh
ID: 34944215
Excellent.  Thanks so much!
0

Featured Post

Google Storage: Standard vs. Nearline vs. Coldline

Google Cloud Storage has a number of classes to choose from. Although there are a lot in common, they vary in price and usage terms. This post explains Google Cloud Storage classes and helps to understand which  one to choose.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
As a long-time IT Professional, the most important skill I have developed and consider to be my most valuable tool is Effective Troubleshooting. Step through my problem-solving procedure in this 10-step guide adapted from The Universal Troubleshooti…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now