Limiting user privileges in Win XP PRO

Posted on 2011-02-19
Last Modified: 2012-05-11
We would like to limit the capabilities of user's on their Win XP Pro workstations.  Unfortunately we have  all accounts set to run as admins since creating "limited" user accounts causes problems w/ our network run (Win 2008) Medical Billing/Admin Program.

Can anyone recommend a program or template that would help us set local policies for each workstation?  Is there a server solution or must this be done per workstation?

Thanks so much,
Question by:jumptohigh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 78

Expert Comment

ID: 34933641
Setting the users' as admins is the issue. You need to determine the lowest most rights the local user needs to have to work with the application.
The server is not an issue.
See whether limiting the users to being power users will still let the users perform their work with the application.

If you have a test workstation where you can test that will be optimal, i.e. add the user as a limited domain user.
See what issues they have when using the software.
Then use a GPO with user rights assignment to add additional rights the user needs for the application to run on the system.
Once you accomplish this, you can put the users into an OU and apply these GPOs to all the users while removing them from the local admin group.

Author Comment

ID: 34933983
Hi Arnold,

Thank you for the reply.  I'm so sorry, I neglected to mention that we are using the server merely in workgroup mode... AD is not installed.


Expert Comment

ID: 34934382
Hi jumptohigh. For most settings I believe you can copy the contents of the configured workstation %systemroot%\system32\grouppolicy\ to the target workstation. Some other security settings can be exported with the secedit tool.
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

LVL 78

Expert Comment

ID: 34934673
You have to determine what are the base user rights needed for use with this application and add them versus giving the users admin rights and then trying to pare them back.
Why are you not using an AD which will provide from a central management interface.

Accepted Solution

thomasd04 earned 500 total points
ID: 34937319
It also sounds like your objective is to be able to manage these policies without having to go to each workstation. Because you are not running AD you'll have to get a little creative.
Here's one idea. Use poledit.exe to create the policy file (Ntconfig.pol). You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs. By default, clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on. In this way, you only have to modify one policy at one location and it will affect all of your workstations.

My other idea would be to use logon scripts. This would be a very powerful method as you could control virtually anything you wanted by script. And to centralize it, you would have the script call scripts from a central location that you could easily manage.

BTW. Giving users admin privileges is never a good idea and most times you can find ways around it. There are many tool out there that you can use to get your custom programs to work without giving the users administrative access. Google these tools:

SU.EXE in the Windows 2000 Resource Kit

Good luck!!

Author Closing Comment

ID: 34944215
Excellent.  Thanks so much!

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question