User rights assignment in XP Pro

  • Thread starter Thread starter Simon Pleasants
  • Start date Start date
S

Simon Pleasants

I am trying to assign different levels of priviledge to different
users on a Windows XP Pro machine. Unfortunately the only account
types are administrator or limited. The are no further options in the
users section of the control panel.

Limited accounts are utterly useless but admin accounts too powerful.
I am quite comfortable editing local security policy settings to
customise my own policy settings for each user group, and I am quite
comfortable using the management console to assign different users
membership of different groups. Unfortunately, XP does not recognise
the assigment of user groups and treats everyone less than an
administrator account as a (useless) limited user (even if they have
been added to the Power User group, amongst others).

On my Win2k Pro machine the assignment of policies is very accessible
and very easy - and it works.

What do I have to do to get XP to properly recognise the user groups
to which users are assigned and accord them the correct access and
control rights (in the same way as 2k or through the computer
management console)?

The machine in question is running XP Pro SP1 and is currently a stand
alone machine, but will be the central unit on a wireless network by
the end of this very week. The machines will all be members of a
common workgroup.

In addition I look after two small groups of networked computers in
common workgroups for a small charity. Currently all users have full
administrative rights on the networked machines. I am very
uncomfortable about this and would like to implement limitations as a
matter of some urgency. Any help very much appreciated.

Thanks
Simon
 
I am having similar problems. Not sure if this answer helps you but I know that
you can add various system rights to users and groups using the Local Security
Policy console. This is located under Programs...Administrative Tools...Local
Security Policy. You can add specific rights to a user or group that are not
default without necessarily making users administrators on a machine. Create
a new group, add your user to that group and then assign rights to that new
group using the Local Security Policy console.
Click to expand...

Thanks for the response. I have already tried this approach in full.
I am not too worried about, for example, changing the rights of an
individual user group at this stage (although I do know how to do it
should I want to). The problem is more the user groups to which the
users belong.

For example, all users are currently administrators. I want to demote
a specific user to a power user. How do I do it? Simple, in the
computer management console (Control Panel, Admin tools) I select the
user (under "users"), select "properties", the "member of" groups tab,
delete administrators from the list and add power users to it instead.
If you want to check it has worked, go to the groups option and check
the users listed as members in the properties of the power users
group. If the user you just added is listed there, it has worked.

The problem I have, is that XP is ignoring all user groups except
administrator and limited user. Since power users are not
administrators they are treated as limited users, rendering the
account useless. The only alternative I have at present is to set
them back to administrator and this is not acceptable under the
circumstances.

In short, I KNOW how to edit which users belong to which groups, and
even which groups can do what, but I cannot get Windows to recognise
anything except the limited users and administrators. Why not?
By any chance would you know how to give users rights to manage system processes
(suspend, kill, enable) without adding a user to the administrator group?
Click to expand...

You could create a new group and allocate it the ability to do this
using the local security policy console. You can then assign the
user(s) you want to have this power to have membership of that group
(and cross check it by checking the user account seeing what groups it
is listed as being a member of).

Or so goes the theory - but since I can't get the damn thing to work
at all, it may be that you can't believe a word I said! It would work
in Win2k anyway!

Cheers
Simon
 
Greetings --

So why not use the MMC to get true control of the user accounts?
Right-click My Computer and select Manage.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Greetings --

That's because any user who is not an administrator _is_ limited.

Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
 
Greetings --

So why not use the MMC to get true control of the user accounts?
Right-click My Computer and select Manage.

Bruce Chambers
Click to expand...

This is exactly what I HAVE been using. Perhaps I am not making
myself clear so I will try to be very specific.

e.g. Fred is an office worker. He needs to be able to use all
standard items of office software, create and manage the relevent
files and alter those created by other users of the machine. He does
not need to be able to open administrator controls, change other
peoples' passwords, remove programs etc.

1. I right click on my computer and select "manage", opening the
management console.
2. I right click on "users" and select "new user". I fill in Fred's
particular's, set his password and click create.
3. I go to Fred's name in the user list, click on the "members of"
tab and see that Fred is only a member of the "users" group. I click
"add" and type in "Power Users". I click "check names", and it brings
up "IT1\Power Users" (IT1 being the machine name). I click "okay".
Now it says Fred is a member of "Power Users".
4. I go to "Groups". I right click "power users" and it lists Fred
as a member of this group.
5. Fred tries to use his account, but it does not give him the rights
of a power user, it restricts him to things that only limited users
can do, and this is makes it impossible for him to use the computer as
he needs.

What have I done wrong? In NT and 2k this would have worked. In XP
Pro it does not. It does not matter what groups I assign Fred or his
colleagues to, they are ALL treated as limited users. How do I get
the computer to honour the rights that Fred SHOULD have as a power
user?
 
Back
Top