How to remove a program from a limited user account on XP

  • Thread starter Thread starter Jen
  • Start date Start date
J

Jen

I have admin user account, and need to remove a program
only from a limited users account (leaving it accessible
for the other accounts.)
How do I do this?
Thanks so much,
Jen
 
Hi Jen,

If you've got Windows XP Pro and you're comfortable with Group Policy
editing, that's the native way to do it. I found doing anything with GPs
unfathomable, but there's a program called 1st Security Agent (Google for a
link) that allows really easy and very powerful user account editing. It's
shareware I think, but it's well worth buying if you need to do this stuff
on a regular basis. Neither I nor the author of the program take any
responsibility for any negative changes it causes (though it's not affected
this machine and I did some pretty serious account fiddling with it).

Also, Win XP Home doesn't have GP's, but I think the program mentioned above
works on Home. As another cheap 'n' nasty option you could just delete the
shortcuts from the Startup group in All Users, but that won't stop people
opening it through other means.

Good luck!

Steve
 
I'm comfortable mucking around under GPE but I'll be damned if I can figure
out how you specify for a specific user rather than the whole group? Please
elaborate.
 
You can stick that user in another group, and make sure that the Deny policy
you use for that group isn't being overriden by any others. I'm not on a
domain here so I can't see the appropriate bits in the computer Management
utility, but you should be able to specify a particular group not to use an
application in the same way you can deny access to files and folders. I've
not had much experience with group policies because I have a tendency to
irreparably damage things, so I've been forbidden from fiddling about with
them :-)

Good luck!

Steve
 
I'm not on a domain either, just my own four 98SE PCs and this XP one.

From what I can gather, there's essentially three groups (ommitting Power
Users, BackupOps etc.), Administrator(s), User(s) and Guest.

I also have failed to find any means of setting restrictions on normal "User
A" while leaving nornmal "User B" alone. Help blatantly omits even hinting
at that possibility. Simply changing one of them to one of the other 2
account types is idiotic.

I think I may have found how to create additional Groups but at first glance
setting up the policies for that group is daunting. Again, that also seems
idiotic when one can expect requiring a different policy for every account.

What I expected to find was some tool would allow you to select a specific
account and set "whatever" in exacting detail for only that selected user.
In other words when I'm using gpedit.msc, I expected to be able to designate
a specific user (or a sub-set of the entire user accounts) and then set that
users (or sub-set of users) policy, not an all users or none affair. What
kind of bs is that?
 
Locate the folder the executable is located in and add a permission entry which denies that user all
access.

Keith
 
I have, without paying it doesn't allow you to do anything with other than
the currently logged in user. I can only assume it'll load other accounts if
bought and paid for.

I feel that something like that should be included in the OS and not have to
purchase it from some other resource. At the least I feel the technique
(e.g. suspect it's all in the registry somewhere) should be public and
easily found at the least. In fact, it should be documented in the included
installed help.
 
A lot of info on the associated reg settings here:

http://www.winguides.com/registry/

You can download RegMon (free) from:

http://www.sysinternals.com/

and have it running while you apply group policies to see what the registry settings associated with
a particular policy are, then delete or add them to individual users (if they are a per-user
setting)

Unfortunately, a path restriction for software shows up here:

HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths

which seems to indicate it is per-machine rather than per-user. Not sure if Doug's utility gets
around that, and if so, how.

Keith
 
Back
Top