Limiting user privileges in Win XP PRO

Posted on 2011-02-19
Medium Priority
Last Modified: 2012-05-11
We would like to limit the capabilities of user's on their Win XP Pro workstations.  Unfortunately we have  all accounts set to run as admins since creating "limited" user accounts causes problems w/ our network run (Win 2008) Medical Billing/Admin Program.

Can anyone recommend a program or template that would help us set local policies for each workstation?  Is there a server solution or must this be done per workstation?

Thanks so much,
Question by:jumptohigh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 79

Expert Comment

ID: 34933641
Setting the users' as admins is the issue. You need to determine the lowest most rights the local user needs to have to work with the application.
The server is not an issue.
See whether limiting the users to being power users will still let the users perform their work with the application.

If you have a test workstation where you can test that will be optimal, i.e. add the user as a limited domain user.
See what issues they have when using the software.
Then use a GPO with user rights assignment to add additional rights the user needs for the application to run on the system.
Once you accomplish this, you can put the users into an OU and apply these GPOs to all the users while removing them from the local admin group.

Author Comment

ID: 34933983
Hi Arnold,

Thank you for the reply.  I'm so sorry, I neglected to mention that we are using the server merely in workgroup mode... AD is not installed.


Expert Comment

ID: 34934382
Hi jumptohigh. For most settings I believe you can copy the contents of the configured workstation %systemroot%\system32\grouppolicy\ to the target workstation. Some other security settings can be exported with the secedit tool.
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

LVL 79

Expert Comment

ID: 34934673
You have to determine what are the base user rights needed for use with this application and add them versus giving the users admin rights and then trying to pare them back.
Why are you not using an AD which will provide from a central management interface.

Accepted Solution

thomasd04 earned 2000 total points
ID: 34937319
It also sounds like your objective is to be able to manage these policies without having to go to each workstation. Because you are not running AD you'll have to get a little creative.
Here's one idea. Use poledit.exe to create the policy file (Ntconfig.pol). You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs. By default, clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on. In this way, you only have to modify one policy at one location and it will affect all of your workstations.

My other idea would be to use logon scripts. This would be a very powerful method as you could control virtually anything you wanted by script. And to centralize it, you would have the script call scripts from a central location that you could easily manage.

BTW. Giving users admin privileges is never a good idea and most times you can find ways around it. There are many tool out there that you can use to get your custom programs to work without giving the users administrative access. Google these tools:

SU.EXE in the Windows 2000 Resource Kit

Good luck!!

Author Closing Comment

ID: 34944215
Excellent.  Thanks so much!

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses
Course of the Month11 days, 1 hour left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question