Limiting user privileges in Win XP PRO

Posted on 2011-02-19
Last Modified: 2012-05-11
We would like to limit the capabilities of user's on their Win XP Pro workstations.  Unfortunately we have  all accounts set to run as admins since creating "limited" user accounts causes problems w/ our network run (Win 2008) Medical Billing/Admin Program.

Can anyone recommend a program or template that would help us set local policies for each workstation?  Is there a server solution or must this be done per workstation?

Thanks so much,
Question by:jumptohigh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 78

Expert Comment

ID: 34933641
Setting the users' as admins is the issue. You need to determine the lowest most rights the local user needs to have to work with the application.
The server is not an issue.
See whether limiting the users to being power users will still let the users perform their work with the application.

If you have a test workstation where you can test that will be optimal, i.e. add the user as a limited domain user.
See what issues they have when using the software.
Then use a GPO with user rights assignment to add additional rights the user needs for the application to run on the system.
Once you accomplish this, you can put the users into an OU and apply these GPOs to all the users while removing them from the local admin group.

Author Comment

ID: 34933983
Hi Arnold,

Thank you for the reply.  I'm so sorry, I neglected to mention that we are using the server merely in workgroup mode... AD is not installed.


Expert Comment

ID: 34934382
Hi jumptohigh. For most settings I believe you can copy the contents of the configured workstation %systemroot%\system32\grouppolicy\ to the target workstation. Some other security settings can be exported with the secedit tool.
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

LVL 78

Expert Comment

ID: 34934673
You have to determine what are the base user rights needed for use with this application and add them versus giving the users admin rights and then trying to pare them back.
Why are you not using an AD which will provide from a central management interface.

Accepted Solution

thomasd04 earned 500 total points
ID: 34937319
It also sounds like your objective is to be able to manage these policies without having to go to each workstation. Because you are not running AD you'll have to get a little creative.
Here's one idea. Use poledit.exe to create the policy file (Ntconfig.pol). You can use the Poledit.exe tool on Windows XP Professional–based computers if you install the Administrative Tools package that is included on the Windows 2000 Server and Windows 2000 Advanced Server CDs. By default, clients look for the policy file on the Netlogon share. However, you can change the location of this file. The UpdateMode registry entry forces the computer to retrieve the policy file from a specific location that is expressed as a Universal Naming Convention (UNC) path, regardless of which user logs on. In this way, you only have to modify one policy at one location and it will affect all of your workstations.

My other idea would be to use logon scripts. This would be a very powerful method as you could control virtually anything you wanted by script. And to centralize it, you would have the script call scripts from a central location that you could easily manage.

BTW. Giving users admin privileges is never a good idea and most times you can find ways around it. There are many tool out there that you can use to get your custom programs to work without giving the users administrative access. Google these tools:

SU.EXE in the Windows 2000 Resource Kit

Good luck!!

Author Closing Comment

ID: 34944215
Excellent.  Thanks so much!

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Win 7 OS unable to install Win updates 3 207
Thin secure Windows 10 5 108
UAC Controls - confused 9 96
Is attached iPhone screen an IOC 5 35
Not many admins are aware that GPOs can be activated and deactivated time-based. Time to change that :)
Why pager replacement is still an issue OnPage has what some might call a “hate/hate” relationship with pagers. Not much room for love. As we see it, pagers are an antiquated bit of technology. Pagers are dinosaurs which, like most dinosaurs, sho…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question