administration problem

[RD]

My ultimate goal:
I want to establish protocol on my computer where I am the only one to
install software. Once installed anyone can use it. i.e.: ICQ, Winamp etc.

System:
Windows XP Pro on NTFS harddrive (XP was suppose to convert during
installation)

History:
The OS was originally installed with me as administrator and everyone had
separate "limited" accounts. That seemed to be a pain everytime someone else
wanted to use it. I then removed all accounts except one:mine. Then a family
member started installing software, though they were asked not to (ICQ etc).
I decided then to create one limited account (everyone) with one
administration account. I uninstalled ICQ and reinstalled it under
"administrator". It works fine under "administrator". However, now when
"everyone" attempts to use it they get an error that basically states "you
do not have write permission to use this, see your administrator (some error
number)". I went into the group policy editor and changed one of the
settings (can't remember which one) from "object creator" to "administrators
group" and made sure that "everyone" was included in the Users. However, the
error persists.

Suggestions:
(This is for those who dare....)

 

[Unnamed]

My ultimate goal:
I want to establish protocol on my computer where I am the only one to
install software. Once installed anyone can use it. i.e.: ICQ, Winamp etc.

Go to the START button and RUN prompt. Type REGEDIT and hit enter. Then, go
to:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]

In there, create the DWORD "DisableMSI" if it doesn't already exist. The
actual value data for that DWORD, after that is 0 is default, 1 is admin
only and 2 is disabled. So, you want to set the value data to admin only, or
1.

Once you do that, you need to change the password on YOUR account so they
cant get in there and create accounts for them that are LIMITED users, not
ADMIN users and then you are OK. They cant install anything after that. Only
your account can.

 

[Ronnie Vernon MVP]

My ultimate goal:
I want to establish protocol on my computer where I am the only one to
install software. Once installed anyone can use it. i.e.: ICQ, Winamp
etc.

System:
Windows XP Pro on NTFS harddrive (XP was suppose to convert during
installation)

History:
The OS was originally installed with me as administrator and everyone
had separate "limited" accounts. That seemed to be a pain everytime
someone else wanted to use it. I then removed all accounts except
one:mine. Then a family member started installing software, though
they were asked not to (ICQ etc). I decided then to create one
limited account (everyone) with one administration account. I
uninstalled ICQ and reinstalled it under "administrator". It works
fine under "administrator". However, now when "everyone" attempts to
use it they get an error that basically states "you do not have write
permission to use this, see your administrator (some error number)".
I went into the group policy editor and changed one of the settings
(can't remember which one) from "object creator" to "administrators
group" and made sure that "everyone" was included in the Users.
However, the error persists.

Suggestions:
(This is for those who dare....)

RD

You will simply be astounded at how easy this can be accomplished with the
new tool MVP Doug Knox has been developing. Called Security Console, it
allows you to disable/enable just about any aspect of XP for any user. It
works on XP Home as well as XP Pro. Best of all, it can perform all of these
functions on a per user basis, something that even GPEdit cannot do. Check
it out here:

Security Console Version 1.4:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm



--
Ronnie Vernon
Microsoft MVP
Windows Shell/User

Please reply to the newsgroup so all may benefit.

 

[RD]

Ronnie,

Are you aware of some website that explains the cryptic language and
settings in the Group Policy Editor?
I will try the John Knox program tomorrow.

RD

 

[Ronnie Vernon MVP]

Ronnie,

Are you aware of some website that explains the cryptic language and
settings in the Group Policy Editor?
I will try the John Knox program tomorrow.

RD

Uh, it's "Doug" Knox. <g>

BTW, there is a rumor that Doug may be releasing version 2.0 of this handy
utility soon.

Here are some links for the GPEdit module.

HOW TO: Use the Group Policy Editor to Manage Local Computer Policy in
Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307882&sd=tech

Look in the left window at the TOC on the following page for an unlimited
amount of resources on XP Pro. A good place to go is: TechNet Home >
Products & Technologies > Windows XP Professional > Microsoft Windows XP
Resource Kits > Professional Resource Kit Documentation > Part III
Security.

Windows XP How-to Resources:
http://www.microsoft.com/technet/itsolutions/howto/winxphow.asp?frame=true

--
Ronnie Vernon
Microsoft MVP
Windows Shell/User

Please reply to the newsgroup so all may benefit.

 

[RD]

Well I tried the aforementioned program, but it doesn't do what I need it to
do. There is alot of good items though. I did manage to get ICQ and others
to work by making the group "power users" rather than "limited. Therefore my
problem seems to have something to do with Legacy programs. Are power users
allowed to install software?

RD

 

[Ronnie Vernon MVP]

Well I tried the aforementioned program, but it doesn't do what I
need it to do. There is alot of good items though. I did manage to
get ICQ and others to work by making the group "power users" rather
than "limited. Therefore my problem seems to have something to do
with Legacy programs. Are power users allowed to install software?

Yes. Power Users are can do almost abything that an Administrator can do,
with a few specific exceptions, like installing device drivers, taking
ownership of files or folders and changing Administrator profiles.

Power User is a good group to assign people to and then use Doug's Security
Console to restrict whatever you wish.
--
Ronnie Vernon
Microsoft MVP
Windows Shell/User

Please reply to the newsgroup so all may benefit.

 

[RD]

But I didn't see anything in there that would restrict software installs.
What am I missing?

RD

 

[Ronnie Vernon MVP]

But I didn't see anything in there that would restrict software
installs. What am I missing?

RD

You may need to get creative with this since a Power User can do almost
anything. You can disallow many types of programs like *.msi (Windows
Installer) files using the registry and then use the Security Console to
restrict access to Regedit (registry editor).

For information on using the disallow key and GPedit, see these websites:

Restrict Access to programs
http://www.kellys-korner-xp.com/xp_a.htm#xp_restrict

Using Software Restriction Policies to Protect Against Unauthorized
Software:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.asp?frame=true


--
Ronnie Vernon
Microsoft MVP
Windows Shell/User

Please reply to the newsgroup so all may benefit.