WinXp PRO Accounts and GPEDIT

[eschatonik]

I just got a new laptop and this is the first time i have had XP PRO (i have
had XP HOME and 2000 before).

I have 2 questions:

1. I want the built-in "Administrator" account to be the Admin and "Chris"
to be a limited user. But XP wont let me take admin priviledges away from
"Chris", even when I am logged into the "Administrator" account ("limited
account" is greyed out in the User Accounts control panel). I need to set up
a third account, give it admin priviledges, and then take them away from
"Chris" to have it the way I want it. It's like XP dosen't count
"Administrator" and having admin priviledges. Why the need for 3 accounts?
Is there a way around this?

2. Even once I did that, and made "Chris" a limited account, Norton AV2004
complains at logon about not having priviledges. Is there a way to make
Norton AV2004 shut up, or can I give "Chris" priviledges for certain things,
but not others, to keep the account safer? Also, is there a solid tutorial
out there for configuring user accounts with GPEDIT? I want to customize the
security for the limited account, but I don't want to mess with things until
i RTFM.

OK, that's more like 3 questions. Thanks.

 

[JW]

For both question #1 and #2, it would help to get familiar with Local Users
and Groups in Computer Management (right-click My Computer, and select
Manage). You can do lots more stuff than you can with User Accounts in
Control Panel. With Local Users and Groups, double-click Groups,
right-click a Group Name, and select Properties. Now you can easily assign
a User Account to a different Group. You have more groups to choose from,
but it takes 2 steps. You'll have to add the User to a new Group, and
remove him from the old Group. To get Norton to stop balking, try (1)
giving Write and Modify permission to Chris, only on the folder named in the
Error message Norton is choking on, or (2) adding Chris to the Group named
Power Users, which ever makes you more comfortable.

Since the Administrator and Power Users group have lots more authority and
permission than Limited Accounts (Users group), I would recommend you not
surf the wild wild web using these accounts. Any vermin that slips through
your defenses would have the same permission/authority as the account you
logged on with. Instead, I have found a great deal of success and comfort
surfing the web with a special account set up for only that purpose, that
has all NTFS permissions except Read/Execute removed from \Windows and
\Program Files. It doesn't remove the need for anti-virus, anti-spyware,
and firewall programs, because it doesn't stop vermin from corrupting the
folders within this user account, e.g. Favorites, Cookies, Desktop,
Documents, Settings, etc. What I have noticed though, since I enabled
auditing on folders named \Windows and \Program Files, is that the Security
Log in Event Viewer shows failed attempts every day by some web pest trying
unsuccessfully to infect files in these folders like Explorer.exe.

Can't help with question # 3

I just got a new laptop and this is the first time i have had XP PRO (i have
had XP HOME and 2000 before).

I have 2 questions:

1. I want the built-in "Administrator" account to be the Admin and "Chris"
to be a limited user. But XP wont let me take admin priviledges away from
"Chris", even when I am logged into the "Administrator" account ("limited
account" is greyed out in the User Accounts control panel). I need to set up
a third account, give it admin priviledges, and then take them away from
"Chris" to have it the way I want it. It's like XP dosen't count
"Administrator" and having admin priviledges. Why the need for 3 accounts?
Is there a way around this?

2. Even once I did that, and made "Chris" a limited account, Norton AV2004
complains at logon about not having priviledges. Is there a way to make
Norton AV2004 shut up, or can I give "Chris" priviledges for certain things,
but not others, to keep the account safer? Also, is there a solid tutorial
out there for configuring user accounts with GPEDIT? I want to customize the
security for the limited account, but I don't want to mess with things until
i RTFM.

OK, that's more like 3 questions. Thanks.

 

[Doug Knox MS-MVP]

See www.dougknox.com, Win XP Utilities, Windows XP Security Console. You can restrict many of the of the operating system features, while leaving the "Chris" account as an Administrator. You can even prevent "Chris" from running the Security Console to undo the changes.

 

[eschatonik]

For both question #1 and #2, it would help to get familiar with Local Users
and Groups in Computer Management (right-click My Computer, and select
Manage). You can do lots more stuff than you can with User Accounts in
Control Panel. With Local Users and Groups, double-click Groups,
right-click a Group Name, and select Properties. Now you can easily assign
a User Account to a different Group. You have more groups to choose from,
but it takes 2 steps. You'll have to add the User to a new Group, and
remove him from the old Group. To get Norton to stop balking, try (1)
giving Write and Modify permission to Chris, only on the folder named in the
Error message Norton is choking on, or (2) adding Chris to the Group named
Power Users, which ever makes you more comfortable.

Since the Administrator and Power Users group have lots more authority and
permission than Limited Accounts (Users group), I would recommend you not
surf the wild wild web using these accounts. Any vermin that slips through
your defenses would have the same permission/authority as the account you
logged on with. Instead, I have found a great deal of success and comfort
surfing the web with a special account set up for only that purpose, that
has all NTFS permissions except Read/Execute removed from \Windows and
\Program Files. It doesn't remove the need for anti-virus, anti-spyware,
and firewall programs, because it doesn't stop vermin from corrupting the
folders within this user account, e.g. Favorites, Cookies, Desktop,
Documents, Settings, etc. What I have noticed though, since I enabled
auditing on folders named \Windows and \Program Files, is that the Security
Log in Event Viewer shows failed attempts every day by some web pest trying
unsuccessfully to infect files in these folders like Explorer.exe.

Can't help with question # 3

I just got a new laptop and this is the first time i have had XP PRO (i have
had XP HOME and 2000 before).

I have 2 questions:

1. I want the built-in "Administrator" account to be the Admin and "Chris"
to be a limited user. But XP wont let me take admin priviledges away from
"Chris", even when I am logged into the "Administrator" account ("limited
account" is greyed out in the User Accounts control panel). I need to set up
a third account, give it admin priviledges, and then take them away from
"Chris" to have it the way I want it. It's like XP dosen't count
"Administrator" and having admin priviledges. Why the need for 3 accounts?
Is there a way around this?

2. Even once I did that, and made "Chris" a limited account, Norton AV2004
complains at logon about not having priviledges. Is there a way to make
Norton AV2004 shut up, or can I give "Chris" priviledges for certain things,
but not others, to keep the account safer? Also, is there a solid tutorial
out there for configuring user accounts with GPEDIT? I want to customize the
security for the limited account, but I don't want to mess with things until
i RTFM.

OK, that's more like 3 questions. Thanks.

Thanks for the tips. I have set up "Chris" as a limited user, and found
that the issue I was having with NAV2004 is covered here:

http://service1.symantec.com/SUPPOR...ws 2000/Me/98/XP&src=sg&pcode=nav&svy=&csm=no

Now everything seems to be running fine, and I am no longer running as
admin, which makes me feel a wee bit better. I'm going to go check out
your site, too, DOug, as that seems to be just the ticket for the other
info i am looking for.