User profiles scenario - please help!

[Guest]

Ok. Here is my situation. I have a computer that is running XP Pro, not
connected to a domain. On the welcome screen, there will be the
Administrator login, and a user called Operator. The users who will be using
this will click on Operator.

However, I want the operator to have access to pretty much nothing. When
the operator logs in, I want to to automatically run a program, and that's
it. No desktop, no access to the C: drive, or other drives. Just login and
run the program.

I know how to adjust all these settings with Group Policy, but I don't know
how to make these adjustments specific to a user. As far as I know, when you
change something with group policy, it affects everyone that logs into the
machine, including the administrator.

How would I accomplish this? If anyone could help me, I would appreciate
it. I need these computers setup soon and am running into these problems.
Thanks.

 

[Tom]

Ok. Here is my situation. I have a computer that is running XP Pro, not
connected to a domain. On the welcome screen, there will be the
Administrator login, and a user called Operator. The users who will be
using
this will click on Operator.

However, I want the operator to have access to pretty much nothing. When
the operator logs in, I want to to automatically run a program, and that's
it. No desktop, no access to the C: drive, or other drives. Just login
and
run the program.

I know how to adjust all these settings with Group Policy, but I don't
know
how to make these adjustments specific to a user. As far as I know, when
you
change something with group policy, it affects everyone that logs into the
machine, including the administrator.

How would I accomplish this? If anyone could help me, I would appreciate
it. I need these computers setup soon and am running into these problems.
Thanks.

Matt, please don't multi-post your question, rather cross post them; IOWs,
place the newsgroups address all in the address line to send the same
message to the groups all at the same time. This way, the message you post
won't be read separately by other who subscribe to these groups.

Anyway, what you ask is not easy, as you would need to restrict folder
accesses, which is possible with Pro. If you deny one to access the C:\
drive, no matter, they would not be able to use the program anyway. If the
program has related files in the Programs Files/Windows folders, you would
need to restrict every folder in those, except for those related to the
program for the user to use.

Besides that, if you deny access to the desktop, how do you expect one to be
able to use a program anyway, as you have to have the Windows shell up and
running for things to work.

 

[brush-head]

Hi Matt
Have a look at running a login script - I don't think you have to be
attached to a domain to do that & you can control that by the user
profiles....

*or* you can make it really simple and create either a batch file if
simple command is all that is required, or a shortcut in the end users'
start up folder.
Although this latter approach is simple it gets to be a problem
maintainance wise if you have a lot of them to do - only do it if you
have a handful - if nothing else it'll get you a solution until you can
come up with something more subtle.

Brush-Head

"The meek shall inherit the earth, but not the mineral rights"

John Paul Getty 1892 - 1976

 

[Guest]

Sorry about multiposting. I know now for next time not to do that. Thank
you for letting me know the proper procedure.

This is what I would like to do. When the operator account is clicked on
the welcome screen, I want a program to be launched automatically, and I
don't want them to be able to do anything else to the system except use this
program.

 

[Tom]

I don't think that is possible because if you block the person from the
programs and systems folders, it won't run anyway, unless you assign very
specific rights to the relevant folder for that person.

Did you follow Torgeir's advice, and post to the
microsoft.public.windowsxp.security_admin
newsgroup? they would be most adept at helping you.

 

[Nepatsfan]

First off, you're flirting with disaster. Mess this up and you'll
effectively lock everyone out of running anything but that one
program. If you want to continue you can try the following:

If the policies you want to change are all in the User
configuration branch of the local group policy then you can avoid
having them apply to the administrator's group by changing the
NTFS permissions on the Windows\System32\Group Policy folder to
Explicitly deny Read permissions, and only Read permissions, for
the Administrators group. Don't be tempted to deny Full Control
or you'll never be able to reset the group policy. The downside
of this approach is that every time you want to run gpedit.msc
you're going to have to remove the deny Read from the Group
Policy folder.

Take a look here for some more info:

http://tinyurl.com/687jj

Here's an alternative approach to accomplish the same thing.
While the article is written for Windows 2000, it also applies to
XP. If you use this approach make sure that in step 10 you change
the settings to Disabled and not to the default "Not Configured".

http://support.microsoft.com/default.aspx?scid=kb;en-us;293655

Keep in mind that both of these attempts to manipulate the local
security policy will only affect the User Configuration settings.
Computer configurations will still be applied regardless of group
membership. I'd suggest testing both of these approaches while
making only minor changes to the GPO. Once you're familiar with
the procedure and confident that you won't lock yourself out of
reversing the changes then go ahead and test the final setup.

Good luck