Re: ADMINISTRATOR vs Administrator USer

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

The conversation before this:
http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/204190216d338284
(archived indefinitely)



C.Joseph Drayton wrote:
There is a program that was written by one of the MVPs here
called WindowsXP Security Console that will allow you to
achieve what you want.

You of course must install it as an administrator. Then the
next thing you do is load each users profile, and restrict
their use of the WindowsXP Security Console. Also make sure
that you load the default user profile and place the same
restriction there. Once you have done that, you can than
restrict the 'administrators' access without them being able
to over-ride that restriction. Of course if they get into
your account (which still has policy setting capability),
then all bets are off.

One word of caution do not accidentally restrict your your
access to the WindowsXP Security Console, or you will find
that you can no longer make any policy changes.

BTW, the WindowsXP Security Console works with all versions
of XP that I have tested including the 64bit version.

Shenan Stanley wrote:
Are you speaking of:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
??

If so - I don't think it does what you seem to be representing it
does. An administrative level user in Windows XP is all powerful
and running the given software or not - an administrative level
account can do whatever they desire to do on Windows XP. You can
*attempt* to limit things on adminstrative level accounts in many
ways - all of which will be failures in the end.

You either create limited users (just plain old user accounts) or
you deal with the consequences of everyone having elevated privs
with non-technical methods (because if they have _any_ technical
skills (even if they don't they can still infest/infect the
machine) or just the normal propensity for mischief - you've wasted
a lot of time trying to take away rights they never should have
had.)

C.Joseph Drayton wrote:
Yes, that is the application I am referring to, and if you
set restrictions as to applications that they can use, then
yes it does work as I described.

As to whether the program can be circumvented I don't know.
I know that I have had it used by different sites for a
number of years with no problems. The users at those sites
could simply not be technical enough to bypass the security
that the program uses. I do know that it works, and yes it
is a pain to set up the restrictions but from what the OP
said, I think it is as application that he might want to
look at.

If a user is an administrator, they can circumvent almost everything you do
to try and limit them. The only exceptions are related to security that is
secondary (like encryption.)

I should also point out that technical savvy (or appearance of) is easily
gained with Internet searches - or at least enough to get around limitation
one might impose the way you have suggested. ;-)

IMO, it is *always* better to start with the lowest possible permissions and
grant only what is necessary than start by giving someone everything and
trying to take things away.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html


.

Relevant Pages

  • Re: ADMINISTRATOR vs Administrator USer
    ... other user -- whether administrator or not. ... "How To Use the Group Policy Editor to Manage Local Computer ... their use of the WindowsXP Security Console. ... restrict the 'administrators' access without them being able ...
    (microsoft.public.windowsxp.general)
  • Re: ADMINISTRATOR vs Administrator USer
    ... user -- whether administrator or not. ... "How To Use the Group Policy Editor to Manage Local Computer Policy ... There is a program that was written by one of the MVPs here called WindowsXP Security Console that will allow you to achieve what you want. ... you can than restrict the 'administrators' access without them being able to over-ride that restriction. ...
    (microsoft.public.windowsxp.general)
  • Re: ADMINISTRATOR vs Administrator User
    ... their use of the WindowsXP Security Console. ... restrict the 'administrators' access without them being able ... account can do whatever they desire to do on Windows XP. ... Unfortunately there is software that will only run properly when run on an administrator account. ...
    (microsoft.public.windowsxp.general)
  • Re: ADMINISTRATOR vs Administrator USer
    ... You of course must install it as an administrator. ... their use of the WindowsXP Security Console. ... restrict the 'administrators' access without them being able ... given software or not - an administrative level account can do whatever they ...
    (microsoft.public.windowsxp.general)
  • Re: ADMINISTRATOR vs Administrator USer
    ... their use of the WindowsXP Security Console. ... restrict the 'administrators' access without them being able ... given software or not - an administrative level account can do whatever they ...
    (microsoft.public.windowsxp.general)