Announcement

Collapse
No announcement yet.

How do I config "Administrative Templates" for the local current user only?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I config "Administrative Templates" for the local current user only?

    Hi all,

    I am trying to create a restricted user account on a single WinXP Pro SP3 machine (basically - an account that can only be used for browsing the web and nothing else).

    I tried to restrict it by configuring Administrative Templates for that user - but for some reason, all of the restrictions ended up affecting the main administrator account too!

    Here's what I did... curious to know where I went wrong:

    1. I created a new account (let's call it "newuser"), with Administrator privileges (that I intended to change later to Limited User privileges).
    2. Logged in as "newuser", and ran gpedit.msc.
    3. Under "Local Computer Policy", I carefully made sure to open User Configuration and not Computer Configuration - since I want to affect the current user only ("newuser").
    4. Under "User Configuration" - I expanded Administrative Templates and made my changes (took out Start Menu options, disabled the Run prompt, disabled cmd.exe, restricted drives and folders from being viewed, etc).
    5. Checked that the restrictions were working for the current user, and logged off.
    6. Logged back on as the usual Administrator user.
    7. Uh-oh... no start menu items, no access to folders, nothing - basically all of my restrictions for the other username were applied here too! Ouch.

    At this point I had to undo everything (needed to remotely transfer a batch file onto the desktop just to get into gpedit.msc again)...

    So... how do I ensure that Administrative Template changes are being applied only to the current user?

    Any insight would be extremely appreciated...
    Thanks!

  • #2
    Re: How do I config "Administrative Templates" for the local current user only?

    Give deny read access to c:\windows\system32\GroupPolicy folder to an administrative account.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: How do I config "Administrative Templates" for the local current user only?

      Originally posted by intersilver View Post
      I am trying to create a restricted user account on a single WinXP Pro SP3 machine (basically - an account that can only be used for browsing the web and nothing else).
      Making a local GPO apply to only one user is not possible in Windows XP (with the possible exception of Dumber's work-around). It is, however, possible in Vista using a technology called Multiple Local Group Policy Objects (MLGPOs)

      Originally posted by intersilver View Post
      I tried to restrict it by configuring Administrative Templates for that user - but for some reason, all of the restrictions ended up affecting the main administrator account too!

      Here's what I did... curious to know where I went wrong:

      1. I created a new account (let's call it "newuser"), with Administrator privileges (that I intended to change later to Limited User privileges).
      2. Logged in as "newuser", and ran gpedit.msc.
      3. Under "Local Computer Policy", I carefully made sure to open User Configuration and not Computer Configuration - since I want to affect the current user only ("newuser").
      When you edit the user configuration settings for a local GPO on an XP machine it doesn't matter which user you're logged in as. The local GPO will apply to all users that log on to the computer. That's the limitation of XP and prior Windows OSs. That's why Vista's MLGPOs are so cool.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: How do I config "Administrative Templates" for the local current user only?

        I see... I was under the impression that the separation between "Computer Configuration" and "User Configuration" was just for that purpose, since the latter should only change the HKCU\ registry keys.... or at least I think I've read something to that effect. Oh well, thanks for clearing that up.

        So - at which point exactly should the read-deny workaround be applied? (sorry, i'm a bit of a novice when it comes to this stuff)
        I mean, as soon as I apply my restrictions, I won't be able to access that folder or its security permissions anyway... so should I first open gpedit.msc, then apply the read-deny to system32\GroupPolicy, then make my changes within gpedit.msc, and log out and in?

        Thanks again.

        Comment


        • #5
          Re: How do I config "Administrative Templates" for the local current user only?

          No first apply the deny permissions, then logon as an other admin and create the policies.
          In fact, it isn't a real workaround but more the only solution for prior Vista machines.

          So you have 2 options, or use the "workaround" or switch to Vista.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: How do I config "Administrative Templates" for the local current user only?

            Originally posted by Dumber View Post
            No first apply the deny permissions, then logon as an other admin and create the policies.
            Or, as an alternative,
            Create the IEOnly account.
            Logon as the IEOnly account and then remotely edit the user's hive from an other computer (need a vbscript, I can show) by an administrator.
            Or, logon as the Administrator then, load, edit and don't forget to unload again the user's hive.

            what to edit...
            1. To disable Taskmanager for the user, Add to
            HKEY_USERS\<user's SID>\Software\Microsoft \Windows\CurrentVersion\Policies\System
            a. the Value: DisableTaskMgr (REG_DWORD) = 1
            b. the Value: DisableCMD (REG_DWORD) = 1 to disable the cmd prompt but allow batch files -or- 2 to disable cmd and batch files.
            c. the Value: DisableRegistryTools (REG_DWORD) = 1

            2. To disable the Run box for the user, Add to
            HKEY_USERS\<user's SID>\Software\Microsoft \Windows\CurrentVersion\Policies\Explorer
            the Value: NoRun (REG_DWORD) = 1

            reference,
            - locking-down-that-desktop
            - still-more-on-locking-down-the-desktop

            3. To replace the user's default shell with Iexplore.exe, Add to the subkey,
            HKEY_USERS\<user's SID>\Software\Microsoft \Windows NT\CurrentVersion\Winlogon
            the Value: Shell (String Value) = C:\Program Files\Internet Explorer\iexplore.exe -k
            Make the subkey 'Winlogon' ReadOnly for the user.
            The -k switch is optional, it will make Iexplore start in kiosk mode (Keyboard Shortcuts for Kiosk Mode).

            \Rems



            FYI
            the subkeys that you find under HKEY_USERS\<user's SID>\ are infact the actual keys you can also find under HKEY_CURRENT_USER\ of the user that is currently logged on to the console (the account that owns that SID).

            -)|(-
            Last edited by Rems; 9th January 2009, 17:05.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: How do I config &quot;Administrative Templates&quot; for the local current user only?

              Rems - thanks for the info and detailed explanation - I already did it using Dumber's method though

              Originally posted by Dumber View Post
              No first apply the deny permissions, then logon as an other admin and create the policies.
              In fact, it isn't a real workaround but more the only solution for prior Vista machines.

              So you have 2 options, or use the "workaround" or switch to Vista.
              Works like a charm, thanks!

              Comment

              Working...
              X