Limiting user privileges in Win XP PRO

Posted on 2011-02-19
Last Modified: 2012-05-11
We would like to limit the capabilities of user's on their Win XP Pro workstations.  Unfortunately we have  all accounts set to run as admins since creating "limited" user accounts causes problems w/ our network run (Win 2008) Medical Billing/Admin Program.

Can anyone recommend a program or template that would help us set local policies for each workstation?  Is there a server solution or must this be done per workstation?

Thanks so much,
Question by:jumptohigh
  • 2
  • 2
  • 2
LVL 77

Expert Comment

ID: 34933641
Setting the users' as admins is the issue. You need to determine the lowest most rights the local user needs to have to work with the application.
The server is not an issue.
See whether limiting the users to being power users will still let the users perform their work with the application.

If you have a test workstation where you can test that will be optimal, i.e. add the user as a limited domain user.
See what issues they have when using the software.
Then use a GPO with user rights assignment to add additional rights the user needs for the application to run on the system.
Once you accomplish this, you can put the users into an OU and apply these GPOs to all the users while removing them from the local admin group.

Author Comment

ID: 34933983
Hi Arnold,

Thank you for the reply.  I'm so sorry, I neglected to mention that we are using the server merely in workgroup mode... AD is not installed.


Expert Comment

ID: 34934382
Hi jumptohigh. For most settings I believe you can copy the contents of the configured workstation %systemroot%\system32\grouppolicy\ to the target workstation. Some other security settings can be exported with the secedit tool.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 77

Expert Comment

ID: 34934673
You have to determine what are the base user rights needed for use with this application and add them versus giving the users admin rights and then trying to pare them back.
Why are you not using an AD which will provide from a central management interface.

Accepted Solution

thomasd04 earned 500 total points
ID: 34937319
It also sounds like your objective is to be able to manage these policies without having to go to each workstation. Because you are not running AD you'll have to get a little creative.
Here's one idea. Use poledit.exe to create the policy file (Ntconfig.pol). You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs. By default, clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on. In this way, you only have to modify one policy at one location and it will affect all of your workstations.

My other idea would be to use logon scripts. This would be a very powerful method as you could control virtually anything you wanted by script. And to centralize it, you would have the script call scripts from a central location that you could easily manage.

BTW. Giving users admin privileges is never a good idea and most times you can find ways around it. There are many tool out there that you can use to get your custom programs to work without giving the users administrative access. Google these tools:

SU.EXE in the Windows 2000 Resource Kit

Good luck!!

Author Closing Comment

ID: 34944215
Excellent.  Thanks so much!

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question