Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 396
  • Last Modified:

How can I add restrictions to a user account without effecting the administrative account in windows 7

I used to use microsoft steady state but since it doesnt work on windows 7 I have been trying to figure out how to make user policies.

I was playing around with group settings but I cant figure out how to block programs and windows folders in the user group for user accounts so it will not effect the administrator accounts..

Thank you
0
avib27
Asked:
avib27
  • 2
  • 2
  • 2
  • +2
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
Administrators are generally not subject to user restrictions - local or domain.
0
 
avib27Author Commented:
where would i find to put on software restrictions/ and not let them alter any windows files for regular users.. I tried under user and administrator template, when I restarted the computer it effected the admin account too
0
 
Paul MacDonaldDirector, Information SystemsCommented:
What is it you're trying to accomplish when you say "not let them alter any windows files for regular users"?  A default user shouldn't be able to go around deleting or editing important files to begin with.  Some files have to be editable by the current user (log files, etc).

If this is a pervasive problem, I'd suggest making sure the users don't have administrative privileges, turn on file system auditing, and, when someone messes up their computer, use the audit log to finger the culprit.  Then fire that person.  I all but guarantee no one else will cause you any more problems.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Hypercat (Deb)Commented:
As paulmacd said, unless you've turned the UAC OFF on your Windows 7 workstations, then regular users don't have the rights to alter any operating system files anyway. Your users who shouldn't have this access should be in the local Users group.  The local administrator account is always in the Administrators group which has access to those files although the UAC will by default show a prompt whenever an administrator tries to edit anything in those areas of the file system.
0
 
McKnifeCommented:
Hi

Let me put something straight: UAC does not GUARD anything. ACLs do, not UAC, only tries to modify ACLs trigger UAC. With UAC off, users cannot do more than before, hypercat. In fact, due to compatibility settings (folder virtualization), with UAC on, they can do more.

Then: "Administrators are generally not subject to user restrictions" - incorrect, at least not if you are talking about GPOs. Admins are effected by GPOs as well. But, there are two kinds of them and the less known second kind, MLGPOs are what you need:  http://technet.microsoft.com/en-us/library/cc766291(v=ws.10).aspx is a step by step guide on how to use them. Abstract: just like GPOs but this time, we may set who they are imposed on (like on groups, certain users even or on non-admins!).
0
 
Hypercat (Deb)Commented:
You are of course correct, McKnife.  The part of my response referring to the UAC was inaccurate, and I apologize for the misstatement and possibly muddying the waters for the poster.  My only excuse is that raging headache I had gotten from reading the news...
0
 
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
McKnifeCommented:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_28521370.html#a40331487 is the solution for sure as what he describes is clearly what MLGPOs are made for.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now