Stand-alone (non-networked) computer - restrict one account but not another

[Tim Rude]

I've got a stand-alone (non-networked) Windows 2000 Pro machine with
only two accounts - one Administrator (with a password) and one User (no
password). Windows is set to auto-login to the User account at boot up.

I want to lock down the User account to disable stuff like the Control
Panel, Display settings, Taskbar settings, etc. However, I want to leave
these things enabled when logged in under the Administrator account.

Using the Group Policy editor, I can disable what I want but it affects
both accounts. How can I selectively apply the Group Policy settings to
only the User account?

TIA

 

[Mark Renoden [MSFT]]

Hi Tim

There's no supported method for achieving this. That said, you can edit the
policy when logged in as an admin and then deny the admin read permissions
on %windir%\system32\GroupPolicy.

When the admin logs in, the local policy won't apply to them because they
can't read it. When the user logs in, they will still get the policy. The
catch here is that once read permissions are denied for the admin, the admin
can't edit the policy any more. You have to add read permissions back to be
able to edit. The danger is then that the policy may apply while you're in
the middle of editing and depending on the settings, the admin account may
be restricted to a point where they can no longer function.

As I said, this is NOT supported. You stand a good chance of getting
yourself into trouble and having to flatten the machine.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Tim Rude]

Thanks Mark. I appreciate the idea (and the warning). I've tried it and
it seems to work pretty well. I dropped shortcuts to a couple of .cmd
files on the Admin desktop that apply/remove the read permissions (using
CACLS) as well as a shortcut to gpedit.msc. That way I've hopefully got
a way back in if I let the door slam on myself. So far it's working
pretty good. I'm being careful not to enable any policies that would
totally shut me down.

--
Tim Rude

(e-mail address removed)
(remove NOSPAM. for correct email address)

Hi Tim

There's no supported method for achieving this. That said, you can edit the
policy when logged in as an admin and then deny the admin read permissions
on %windir%\system32\GroupPolicy.

When the admin logs in, the local policy won't apply to them because they
can't read it. When the user logs in, they will still get the policy. The
catch here is that once read permissions are denied for the admin, the admin
can't edit the policy any more. You have to add read permissions back to be
able to edit. The danger is then that the policy may apply while you're in
the middle of editing and depending on the settings, the admin account may
be restricted to a point where they can no longer function.

As I said, this is NOT supported. You stand a good chance of getting
yourself into trouble and having to flatten the machine.

--
Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

I've got a stand-alone (non-networked) Windows 2000 Pro machine with
only two accounts - one Administrator (with a password) and one User (no
password). Windows is set to auto-login to the User account at boot up.

I want to lock down the User account to disable stuff like the Control
Panel, Display settings, Taskbar settings, etc. However, I want to leave
these things enabled when logged in under the Administrator account.

Using the Group Policy editor, I can disable what I want but it affects
both accounts. How can I selectively apply the Group Policy settings to
only the User account?

TIA

--
Tim Rude

(e-mail address removed)
(remove NOSPAM. for correct email address)