Restricting Local User Account

[AJ]

Hi folks

I need to create a local account on a standalone server (non domain
member) which will have the ability to create local user accounts, but
not mess with the administrator account (thinking member of power user
group here). In addition to this I need to make sure that this user
cannot browse the network in anyway and only be granted specific
permissions to certain directories. The permissions to the directories
can be performed by locking down with NTFS permissions but I cannot
find a way to disable network browsing without messing with the server
service which is required for user account management. I need to hide
all network servers/domain from this specific user account. What is
the best way to acheive this, is it possible?

TIA

AndyJ

 

[John John (MVP)]

Members of the Administrators group can fully administer user accounts;
only Administrators can assign user rights and access privileges for
resources. Members of the Power Users group can create accounts only in
the Power Users, Users, and Guests groups; they can also maintain and
delete the accounts they create. However, a Power User can neither
change nor delete an account in these groups if the account was created
by someone else. A member of the Users group can create, maintain, and
delete accounts in local groups that he or she has created. Guests can
neither create nor delete accounts.

[end quote]

How To Create and Manage User Accounts Programmatically
http://support.microsoft.com/kb/119671

For network browsing see the information here and in the related entires
at the bottom:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93569.mspx?mfr=true

Take a look at Group Policies to enforce what you want.

John