Standard Users Privileges

[Guest]

My goal, when I bought a new Windows Vista Ultimate computer for my son's 8th
grade graduation, was to give him a tool to do his high school research and
homework, at the same time controlling the time that he spent on the computer
playing games. He spent too much time playing online game in middle school
and his grades suffered as a result.

When I configured Windows Vista Ultimate, I setup myself as the Vista
Administrator and set him up as a Vista Standard User. Then I enabled
Parental Controls and set computer usage time limits.

However, as a Windows Vista Ultimate Standard User, he cannot download
research or other files from the internet and/or he cannot install any
programs (educational or not).

The bottom line is that I want give him all the rights of a Windows Vista
Administrator, with the following exceptions:
* I do not want to let him remove or modify the Parental Controls in any way
* I do not want to let him change his own or other peoples privileges.
* I do not want him to change other user's, like his sister, password, but
he should be able to change his own password.
* I do not want him to change the Windows Live OneCare firewall and other
settings. Windows Live OneCare should block him from downloading and
installing spyware or viruses.

Can someone please tell me how to enable this in Windows Vista Ultimate?

Thanks,

Sam
Software Quality Assurance (SQA) Engineer

 

[Guest]

Installing a Package with Elevated Privileges for a Non-Admin
http://msdn2.microsoft.com/en-us/library/aa369519.aspx

 

[Ronnie Vernon MVP]

Sam

With Vista Ultimate you have the resources provided by the Group Policy
(gpedit.msc) and the Security Policy (SecPol.msc) components.

These tools can accomplish just about anything you need to open or lock down
any component in the system. It may take you a short time to learn, but it
is well worth the effort.

Resources for Learning About Group Policy for Windows Vista:
http://technet2.microsoft.com/WindowsVista/en/library/47e0577f-d043-4bca-8e05-c4c93050ef971033.mspx

Download details: Group Policy Settings Reference:
http://www.microsoft.com/downloads/...9b-3328-4350-ade1-c0d9289f09ef&DisplayLang=en

 

[Guest]

Installing a Package with Elevated Privileges for a Non-Admin
http://msdn2.microsoft.com/en-us/library/aa369519.aspx

I looked at the url and the first registry entry was in my registry but the
second one was not:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

What should I do about that?

Thanks,

Sam M.
Software Quality Assurance (SQA) Engineer

 

[Guest]

I looked at the two URLS that you offered me and I didn't see anything that
told me clearly and specifically what to do to accomplish what I want to do.
I have a home network with no Active Directory Domain.

Maybe I am slow, but I posed specific authorizations and/or polices that I
wanted in place and I didn't see anything that showed my how to created a
user that could download files, install programs and change his password -
yet NOT be about to change other peoples passwords and change and/or remove
the parental controls.

Can you please break it down to the basic steps?
What happened to the concept of the Power Users group?

Still stumped...
Sam
Software Quality Assurance (SQA) Engineer

 

[Guest]

Migrating from the Power Users Group
The Power Users group in Windows XP was designed to enable members of the
group to perform system tasks, such as installing applications without
granting full administrator permissions. Power Users also had write access to
areas of the file system and registry that normally only allow administrator
access. Power Users enabled some level of application compatibility;
unfortunately, this did not address a fundamental problem: applications
requiring unnecessary privileges and user rights. UAC does not leverage the
Power Users group, and the permissions granted to the Power Users group on
Windows XP have been removed from Windows Vista. UAC enables standard users
to perform all common configuration tasks. The Power Users group, however, is
still available for backwards compatibility with other versions of Windows.
To use the Power Users group on Windows Vista, a new security template must
be applied to change the default permissions on system folders and the
registry to grant Power Users group permissions equivalent to Windows XP.

To disable UAC from prompting for credentials to install applications

1. Click Start, click All Programs, click Accessories, click Run, type
secpol.msc in the Open text box, and then click OK.

2. From the Local Security Settings console tree, click Local Policies, and
then Security Options.

3. Scroll down and double-click User Account Control: Detect application
installations and prompt for elevation.

4. From the User Account Control: Detect application installations and
prompt for elevation Properties dialog box, click Disabled, and then click OK.

5. Close the Local Security Settings window.


To change the elevation prompt behavior

1. Click Start, click Accessories, click Run, type secpol.msc in the Open
text box, and then click OK.

2. From the Local Security Settings console tree, click Local Policies, and
then Security Options.

3. Scroll down to and double-click User Account Control: Behavior of the
elevation prompt for administrators or User Account Control: Behavior of the
elevation prompt for standard users.

4. From the drop-down menu, select one of the following settings:

• No prompt

• Prompt for credentials (this setting requires user name and password input
before an application or task will run as elevated, and is the default for
standard users)

• Prompt for consent (this is the default setting for administrators only)


5. Click OK.

6. Close the Local Security Settings window.


http://technet2.microsoft.com/Windo...8514-4c9e-ac08-4c21f5c6c2d91033.mspx?mfr=true

 

[Guest]

Hi Gistcheckin,

Thanks for the detailed advice! I will try it as soon as i go home tonight.

Will adding the users to the newly configured Power Users group still limit
them from changing the Parental Controls? If not, how can I specify that
policy for the Power Users group?

Thanks,
Sam M.
Software Quality Assurance (SQA) Engineer

 

[Guest]

I implemented your solution and it allowed a standard user to download and
install files like i wanted.

However, it also allowed the standard user to change the Parental Controls,
like I did NOT want.

Is there any way do enable a policy that does exactly what i requested?
Basically, I need to create "an administrator with limited rights"

 

[Guest]

I believe you can restrict the User's Rights
http://technet2.microsoft.com/windo...7ed0-457e-956a-25bb4ebd067f1033.mspx?mfr=true

User rights
http://technet2.microsoft.com/windo...7ed0-457e-956a-25bb4ebd067f1033.mspx?mfr=true

 

[Guest]

Yes, but which is the user rights policy that states you can not change
Parental Controls?

I did not see the words, "Parental Controls" in either of the links that you
provided.

I'm beginning to think that Windows Vista Utimate is not the answer to my
wishes.
I don't think that Net Nanny, from what i read, is the answer either. If my
kids can elevate themselves to administrators, they can turn off Parental
Controls or disable Net Nanny.

I can set time limits on my Linksys router but not on a per user basis -
everyone would be affected by router time limits.

 

[Jimmy Brush]

Hello,

There is no good and easy solution for you.

The problem is that the vast majority of software installations require
administrator access because they install for all users of the computer.

Software that only installs for the current user won't need admin power,
and so standard users can install these, but most software won't give
you the option to do this.

It is up to the individual software to allow standard users to install
them - Windows has no control over this.

I'm afraid the best solution is for your son to bother you, the
administrator, when he wants to install something that needs permission.

 

[Guest]

JB,

You are right, there is not good and easy solution for me.

I would be able to do this if i setup a Windows 2003 or 2008 server with
Active Directory, right?

What about third party add-ons?

Won't Microsoft address this issue in the future? There are times when my
son needs to install some software for school in the afternoon, while i'm a
work, in order to do an assignment.

Hey, could I used Microsoft's SharedView to install the software for him?

Thanks for your helpful reply!

 

[Jimmy Brush]

JB,

You are right, there is not good and easy solution for me.

I would be able to do this if i setup a Windows 2003 or 2008 server with
Active Directory, right?

No. In all cases, an administrator must authorize a program to be
installed, whether it is by actually installing the program him/herself,
or by preauthorizing it to be installed.

(And no, you can't just preauthorize "any program", as far as i know).

What about third party add-ons?

What you are wanting is to allow certain programs to be able to run "as
administrator" by standard users, without asking for a password.

But you want to be able to control which programs the standard user can
use this on.

This is not really supported in Windows, and I am not aware of any
program that allows this, taking into account that you won't know the
program name in advance.

The reason is for security: Once the standard user can run
administrative programs, they're not really a standard user anymore.

Won't Microsoft address this issue in the future? There are times when my
son needs to install some software for school in the afternoon, while i'm a
work, in order to do an assignment.

Unfortunately, this is really something that the people who make
software have to address, it can't be fixed by Microsoft.

Microsoft allows software developers to install software for a single
user and not require admin powers. They simply do not do it, for
whatever reason.

Hey, could I used Microsoft's SharedView to install the software for him?
No.

Thanks for your helpful reply!

You're welcome.

I will offer a possible solution.

Note that this solution (and really any solution to this particular
problem) results in giving your son administrator power, and just hiding
the features that you do not want him to use. It doesn't really stop him
from doing anything, it just makes it more difficult.

(I imagine this is the reason that Microsoft depreciated power users ...
Power users are really administrators that pretend to not have full
power. This is just pretend though; it is trivial to go from a power
user account to an administrator account.)

Anyway, you mentioned that the power users solution worked for you,
except that he could still access parental controls, and change other
people's passwords.

A solution here is to remove access to the user accounts control panel.

- Click start
- Type: mmc.exe
- press enter
- Click file -> add/remove snap-in
- Click on "Group policy object editor"
- Click add
- click the browse button
- click the users tab
- select your son's username
- click OK, finish, ok
- in the left, expand Local Computer, User Configuration, Administrative
Templates
- Click on Control Panel
- double-click Hide specified control panel options
- click enabled
- click show
- click add
- type: user accounts
- click ok
- click add
- type: parental controls
- click ok
- click add
- type: set up parental controls for any user
- click ok, ok, ok

This will prevent him from managing parental controls and other user
accounts from the control panel.

Note that he can still change passwords by pressing ctrl-alt-delete. To
prevent that, there is an option to 'remove change password' under
Administrative Templates -> System -> Ctrl + Alt + Delete options.

(You might want to browse through these settings, there are all sorts of
neat things you can customize)

As you may have guessed, this will also hide the tool he uses to change
his own password.

You've got to make a choice: allow him to change his own password on
demand at the risk of him easily changing other user account passwords,
or make him tell you when he wants to change his password.

If you do the latter, you can allow him to change his password when he
asks you by doing this:

- Click start
- right-click computer
- click manage
- expand local users and groups
- click users
- right-click his account and click properties
- uncheck password never expires
- check user must change password on next logon

Once he's changed his password, you can re-check password never expires.

As I mentioned before about just hiding stuff and not really preventing
anything, he can use the 'net' command-line utility to change other
peoples passwords, and theres no easy way to prevent this, short of
keeping him from opening a command prompt.

 

[Jimmy Brush]

Hey, could I used Microsoft's SharedView to install the software for him?

Heh, spoke too soon... if you are available at work while he is at the
computer and online, yes.

You could also have him send you a remote assistance request, which will
allow you to take over his screen.

or, install a free third-party remote access solution such as www.uvnc.com.

 

[Guest]

JB,

I really loved the solution that you provided for me in your previous post!
I think that hiding the Control Panel items will work.

This solution will work at least until he figures out how to use the 'net"
command-line utility, and he probably will, or until he runs the
manufacture's image restore utility and makes himself the administrator and
me a standard user, and he probably will LOL.

Thanks for the Microsoft SharedView update.
I am glad that that will solution will work also.

 

[Jimmy Brush]

Well,

Looks like I'm gonna have to eat some crow on this one.

Turns out I was wrong.

You can allow standard users to install any program they want - as long
as it uses a certain type of installer (MSI).

I believe the majority of installers use MSI, but that doesn't mean that
a certain program that your son might try to install won't use this
install method, so this may not be a perfect solution for you.

But it is easy and more secure than my other solution (although the
caveat still stands that this is just "hiding" - a crafty person can
take advantage of this privilege to turn their account into a full-blown
administrator account).

If you want to try this out, you can remove your son's membership from
the power users group, remove the blocks you added before for the user
accounts control panel (so he can change his password), and then set up
these settings:

- Click start
- Type: mmc.exe
- press enter
- Click file -> add/remove snap-in
- Click on "Group policy object editor"
- Click add
- click finish (to accept the default of local computer)
- click ok
- in the left, expand Local Computer Policy, COMPUTER Configuration,
Administrative Templates, Windows Components
- Click on Windows Installer
- double-click Always install with elevated privileges
- click enabled
- click ok
- Click file -> add/remove snap-in
- Click on "Group policy object editor"
- Click add
- click the browse button
- click the users tab
- select your son's username
- click OK, finish, ok
- in the left, expand Local Computer\YOUR SON'S USERNAME, USER
Configuration, Administrative Templates, Windows Components
- Click on Windows Installer
- double-click Always install with elevated privileges
- click enabled
- click ok