AIANDAS said:
Well I want there to be one ADMINISTRATOR that can control all the
others. Now in XP Pro we have 2 choices. Administrator and Limited
Accounts. So there is one user @ home that whines if I don't make
them an Administrator but don't trust their internet savvy to not
get us into some kind of trouble. So I do make them an
administrator but I need to find a way to limit their access
without making them Limited.
Somebody mentioned Sub-Administrator. How do I make them a
Sub-Administrator?
You have to let them whine. If they cannot be trusted with power, then
certainly don't give it to them.
You have chosen badly by making them administrators. They do not *need* to
be adminstrators to utilize the computer. In fact - best practice is for
them *not* to be an administrator while performing daily tasks.
Let's make this easy.
If a user is a member of the "administrators" group - they are all-powerful
(except in personalized worlds - like encrypted data - and even then, they
could (if the other users are unwise in their best practices) make said
encrypted data *lost* to the other user completely.)
If a user is a member of the "administrators" group - no matter their other
memberships - they can do what they want to whom ever they want on said
system. If another member of the "administrators" group changes something
on their account, they can retaliate and do the same.
As far as I am concerned (the following is my opinion, my take on things) -
despite some people's usage of the "power users" group - there are only a
few levels of users.
When dealing with users - you give them *as little* power as
possible/plausible and grant them only the additional power they need. You
do not give them 'all powerful' rights and then try to limit them.
- Guest (these people cannot do much of anything, fairly unused level.)
- User (very limited, no installation rights, etc.)
- Modified User (this is not a built-in group, but a user whom I have
granted an extra right or three...)
- Administrator (full ownage of everything in said system.)
Power Users is supposed to be a group that can install certain things, do
certain things - but I have always found their power too broad to be useful
in restricting people. Power Users still get infections that affect all
other users, they can install software that affect all other users, etc.
I'd rather not have that sort of user on a multi-user system and I would
rather only have a single administrator (although there may be multiple
adminstrator level accounts - for 'oops' situations.)
My suggestion is to limit the usage of the "administrators" group as much as
possible. Create all "users" and if you must, grant certain users 'special
powers'.
http://technet.microsoft.com/en-us/library/bb456992.aspx
http://support.microsoft.com/kb/279783