-
May 26th, 2005, 02:59 PM
#1
Lockdown a User in XP SP2
I am trying to setup a machine to lockdown the default user from running anything except programs I autorun. I however need to keep a local administrator available with full access. This needs to be accomplished on a standalone workstation running XP SP2.
I know how to setup the computer to autologon and to auto launch a program, but the lockdown is being difficult. There was a program in the W2k resource kit for W2k, but I can't find anything for XP.
User:
Can't do anything except use program that is running.
Administartor:
has full access as normal
I would assume this would be done using a group policy. I have found a technote from microsoft including a sample policy for setting up a Kiosk (Basically what I want) but it talks about linking this to the active directory on a W2k3 Server. This system is standalone. Any Idea how to do this to a User or a User Group??
-
May 26th, 2005, 10:33 PM
#2
Registered User
Start/Run/GPEDIT.MSC assuming the machine is running XP Proffessional. If its running Home or other, network it to an XP Pro comp and set Group Policy for the machine from there.
-
May 27th, 2005, 06:22 AM
#3
XP Pro, but the group policy effects every user on the system if it is not part of the domain. I seem to have found a way to do it from another website which involves setting permissions on the actual policy to that a Administrator is denied read access therefore preventing windows from applying it. I will try that today
-
May 27th, 2005, 07:19 AM
#4
Banned
Originally Posted by hey__me
XP Pro, but the group policy effects every user on the system if it is not part of the domain. I seem to have found a way to do it from another website which involves setting permissions on the actual policy to that a Administrator is denied read access therefore preventing windows from applying it. I will try that today
Dude, if that works please provide some links!
-
May 27th, 2005, 07:45 AM
#5
Geezer
Originally Posted by hey__me
... There was a program in the W2k resource kit for W2k, but I can't find anything for XP...
Do you mean like so ? :- Security Configuration Manager Tools (which IS in xp )
& another fact worth mentioning about xp over w2k permissions wise, is the fact that you can password protect your 'my documents' folder without reference to any groupings, meaning that no matter what class of user account you have, only you & not any adminnistrator can view your files*
* .. which doesn't take care of the 'hole in the plot' anymore than anything can where you've got physical access, as we all know about 'taking ownership' & other things I'm apparently not allowed to mention anymore !
Last edited by confus-ed; May 27th, 2005 at 07:48 AM.
-
May 27th, 2005, 11:28 AM
#6
found that info on http://www.windowsnetworking.com/kba.../miscellaneous
didn't end up using it as getting permissions right was going to be a big problem.
-
May 28th, 2005, 08:15 PM
#7
Registered User
You could limit the applications the user account can run -
This is a per user setting:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion \Policies\Explorer]
Create a new DWORD value and name it "RestrictRun" set the value to "1" to enable application restrictions or "0" to allow all applications to run.
Next create a new sub-key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion \Policies\Explorer\RestrictRun] and define the applications that are allowed. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be allowed i.e. "notepad.exe"
(Default) REG_SZ (value not set)
1 REG_SZ "notepad.exe"
2 REG_SZ "regedit.exe"
You will need to restart windows
Last edited by Poseidon; May 28th, 2005 at 08:21 PM.
The early bird may get the worm; but the second mouse gets the cheese!
-
May 29th, 2005, 05:54 PM
#8
Solution:
Created a limited user account
Deny write access to C:
Allow Write Access to required directories that software Requires
Set Restrict Run in registry for required apps.
although user can copy files from C:, he is prevented from deleting, and modifing files. I just wish there was a way to completely lock it down so that he can't even get to the start menu, or launch an explorer window, etc
-
May 30th, 2005, 12:42 AM
#9
Registered User
As for the start menu, run a different shell or restrict access all together:
Disable Menu Bars and the Start Button
Last edited by Poseidon; May 30th, 2005 at 12:48 AM.
The early bird may get the worm; but the second mouse gets the cheese!
Similar Threads
-
By Jeff316 in forum Windows XP
Replies: 10
Last Post: July 7th, 2006, 08:51 AM
-
By Low_Level_Owl in forum Windows XP
Replies: 2
Last Post: October 31st, 2004, 12:39 PM
-
By rudebwoy in forum Windows XP
Replies: 6
Last Post: October 3rd, 2004, 10:27 AM
-
By TechZ in forum Tech Tips
Replies: 0
Last Post: August 14th, 2004, 01:03 PM
-
By TechZ in forum Windows XP
Replies: 0
Last Post: August 13th, 2004, 03:15 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks