[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Lockdown XP based on local user or group

Posted on 2011-10-06
Medium Priority
Last Modified: 2012-05-12
I have a test application that needs to be locked down so certain account can only run one application and nothing else.  I tried putting XP in Kiosk mode but the test application relies on explorer.exe.  Is there a way to lockdown XP for a specific user or group in a workgroup or do I have to be in a domain?

Question by:bmcdowell540

Accepted Solution

Spar-Q earned 1600 total points
ID: 36927858
The only way you can be selective with group policy/local computer policy is to be an Active Directory domain. Local Security Policy for workgroup computers is an all-or-nothing approach.

Expert Comment

ID: 36928504
I don't have an XP box to check, but you should be able to set this using Local Security Policy (the Local GPO) by creating a Software Restriction Policy, or heavily restricting the user/group with other security policy settings.  
LVL 51

Expert Comment

ID: 36928553
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.


Author Comment

ID: 36932037
@duffme:  I think Spar-Q is right.  I created a GPO for the current user and it applied the settings to all users including the administrator account.

Assisted Solution

duffme earned 400 total points
ID: 36932564
Spar-Q is correct.  Group Policy (ecxcept for the local GPO I mentioned) requires a domain and Active Directory.  In a GPO there are User and Computer based GPO settings.  You can apply GPOs to domains, OUs, security groups, etc.  to make it as granular as you seem to need.  In a workgroup you have to take the approach of restricting that one user from normal user accesses, which is klunky.  It may be worthwhile for you though if this is really a unique situation, but you aren't going to be able to truly lock down that one user you are trying to.  You'd be able to (maybe) get "good enough" by having it that user user log on and launch into your one application that doesn't easily allow the user to shell out, or quit back to the desktop, etc.  If you make this user a Guest, for example, they would be much more restricted than a regular User, but not truly locked down to one application.  You'd have to use NTFS permissions and deny access to other directories in the Program Files directory and such, but they'd still be able to run things from other directories though.  Again, no good way to do this.

Author Closing Comment

ID: 36933147
Thanks everyone for your help.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question