How can I add restrictions to a user account without effecting the administrative account in windows 7

I used to use microsoft steady state but since it doesnt work on windows 7 I have been trying to figure out how to make user policies.

I was playing around with group settings but I cant figure out how to block programs and windows folders in the user group for user accounts so it will not effect the administrator accounts..

Thank you
LVL 1
avib27Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
Administrators are generally not subject to user restrictions - local or domain.
0
avib27Author Commented:
where would i find to put on software restrictions/ and not let them alter any windows files for regular users.. I tried under user and administrator template, when I restarted the computer it effected the admin account too
0
Paul MacDonaldDirector, Information SystemsCommented:
What is it you're trying to accomplish when you say "not let them alter any windows files for regular users"?  A default user shouldn't be able to go around deleting or editing important files to begin with.  Some files have to be editable by the current user (log files, etc).

If this is a pervasive problem, I'd suggest making sure the users don't have administrative privileges, turn on file system auditing, and, when someone messes up their computer, use the audit log to finger the culprit.  Then fire that person.  I all but guarantee no one else will cause you any more problems.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Hypercat (Deb)Commented:
As paulmacd said, unless you've turned the UAC OFF on your Windows 7 workstations, then regular users don't have the rights to alter any operating system files anyway. Your users who shouldn't have this access should be in the local Users group.  The local administrator account is always in the Administrators group which has access to those files although the UAC will by default show a prompt whenever an administrator tries to edit anything in those areas of the file system.
0
McKnifeCommented:
Hi

Let me put something straight: UAC does not GUARD anything. ACLs do, not UAC, only tries to modify ACLs trigger UAC. With UAC off, users cannot do more than before, hypercat. In fact, due to compatibility settings (folder virtualization), with UAC on, they can do more.

Then: "Administrators are generally not subject to user restrictions" - incorrect, at least not if you are talking about GPOs. Admins are effected by GPOs as well. But, there are two kinds of them and the less known second kind, MLGPOs are what you need:  http://technet.microsoft.com/en-us/library/cc766291(v=ws.10).aspx is a step by step guide on how to use them. Abstract: just like GPOs but this time, we may set who they are imposed on (like on groups, certain users even or on non-admins!).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hypercat (Deb)Commented:
You are of course correct, McKnife.  The part of my response referring to the UAC was inaccurate, and I apologize for the misstatement and possibly muddying the waters for the poster.  My only excuse is that raging headache I had gotten from reading the news...
0
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
McKnifeCommented:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_28521370.html#a40331487 is the solution for sure as what he describes is clearly what MLGPOs are made for.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.