Solved

How can I add restrictions to a user account without effecting the administrative account in windows 7

Posted on 2014-09-18
10
383 Views
Last Modified: 2014-10-21
I used to use microsoft steady state but since it doesnt work on windows 7 I have been trying to figure out how to make user policies.

I was playing around with group settings but I cant figure out how to block programs and windows folders in the user group for user accounts so it will not effect the administrator accounts..

Thank you
0
Comment
Question by:avib27
  • 2
  • 2
  • 2
  • +2
10 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40331365
Administrators are generally not subject to user restrictions - local or domain.
0
 
LVL 1

Author Comment

by:avib27
ID: 40331379
where would i find to put on software restrictions/ and not let them alter any windows files for regular users.. I tried under user and administrator template, when I restarted the computer it effected the admin account too
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40331395
What is it you're trying to accomplish when you say "not let them alter any windows files for regular users"?  A default user shouldn't be able to go around deleting or editing important files to begin with.  Some files have to be editable by the current user (log files, etc).

If this is a pervasive problem, I'd suggest making sure the users don't have administrative privileges, turn on file system auditing, and, when someone messes up their computer, use the audit log to finger the culprit.  Then fire that person.  I all but guarantee no one else will cause you any more problems.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40331423
As paulmacd said, unless you've turned the UAC OFF on your Windows 7 workstations, then regular users don't have the rights to alter any operating system files anyway. Your users who shouldn't have this access should be in the local Users group.  The local administrator account is always in the Administrators group which has access to those files although the UAC will by default show a prompt whenever an administrator tries to edit anything in those areas of the file system.
0
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 40331487
Hi

Let me put something straight: UAC does not GUARD anything. ACLs do, not UAC, only tries to modify ACLs trigger UAC. With UAC off, users cannot do more than before, hypercat. In fact, due to compatibility settings (folder virtualization), with UAC on, they can do more.

Then: "Administrators are generally not subject to user restrictions" - incorrect, at least not if you are talking about GPOs. Admins are effected by GPOs as well. But, there are two kinds of them and the less known second kind, MLGPOs are what you need:  http://technet.microsoft.com/en-us/library/cc766291(v=ws.10).aspx is a step by step guide on how to use them. Abstract: just like GPOs but this time, we may set who they are imposed on (like on groups, certain users even or on non-admins!).
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 40331512
You are of course correct, McKnife.  The part of my response referring to the UAC was inaccurate, and I apologize for the misstatement and possibly muddying the waters for the poster.  My only excuse is that raging headache I had gotten from reading the news...
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40377104
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40377105
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_28521370.html#a40331487 is the solution for sure as what he describes is clearly what MLGPOs are made for.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question