Windows 2000 User Settings

[Bill]

95% finished setting up my new Windows 2000 computer, all from the Administrator
account. For safety's sake, I want my main daily work user account to not be able to
install programs, so I created user "Bill"

Of course, when I log into that "Bill" account, it doesn't have the desktop, startup
programs, etc. of the Administrator account.

How can I set up a Windows 2000 user account that has the same startup and desktop
settings as my Administrator account?

Thanks!

 

[John John]

Copy the Administrator user profile to user Bill. Search the Windows
Help files for "User Profiles" for more information.

Tip: You must have administrative privileges to copy profiles. You
cannot copy or delete a user profile that belongs to the currently
logged on user or any user whose profile is in use. Create a second
Administrator account then when logged on to the second Administrator
copy the profile from the other Administrator account to Bill's account.

John

 

[Stubby]

In D&S there is a hidden profile named "default". This is copied to
each new user you create. You can also put things in "All Users".
These will appear in addition to what is in each user's private Profile.
Specifically, the Desktop is one file in a profile.

 

[Bill]

Thanks to both of you!

Can you comment on my strategy - that my main daily, working account cannot install
programs?

I'm very new to Windows 2000, and I want to set this laptop up for maximum stability.
How do you guys set up your Windows 2000 computers? How many, and what types, of user
profiles do you set up?

Bill.

 

[John John]

If you restrict your privileges too much you will soon tire of the
constraints imposed by having a low permissions account. To make
matters worse some of the poorly designed software might not run too
well if you don't have elevated permissions. I certainly wouldn't want
to use a "personal" computer with any less than a Power User account.
Computers in corporate environments are a different matter, most users
should be kept to the lowest privileges possible. The information here
should answer some of your questions:

Default Access Control Settings in Windows 2000
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx

Don't forget to disable the Guest account, it's an unnecessary security
risk.

 

[Bill]

Thanks. Along with your link, I found this page:
http://www.comptechdoc.org/os/windows/win2k/win2kusers.html
and I've got most of what I need.

What I can't find is, where are the policies for installing programs and
ActiveX controls? Or is that what "act as part of the operating system" is?

Bill.

 

[John John]

Policy? Do you mean Group Policy objects (GPO)? Unless you intend to
have multiple users on the laptop or just want to "thinker" you don't
need to use GPO's. Otherwise, the information is in the link I provided
earlier, from that article:

Administrators are all-powerful. The default Windows 2000 security
settings do not restrict administrative access to any registry or file
system object. Administrators can perform any and all functions
supported by the operating system. Any right that the administrator does
not have by default, they can grant to themselves.

Ideally, administrative access to the system should only be needed to:

• Install the operating system and components (including drivers for
hardware, system services, and so forth).

• Install Service Packs and hotfixes.

• Install Windows updates.

• Upgrade the operating system

• Repair the operating system.

• Configure critical machine-wide operating system parameters, for
example, kernel mode driver configuration, password policy, access
control, and audit functions.

In practice, administrative accounts must often be used to install and
run legacy Windows-based applications.

and:

Power Users are ranked between Administrators and Users in terms of
system access. The default Windows 2000 security settings for Power
Users are backward-compatible with the default security settings for
Users in the Windows NT® 4.0 operating system. In short, Power Users are
indeed powerful.

Ideally, Power Users should be able to perform any task except for the
administrative tasks described above. Thus, Power Users should be able to:

• Install and remove applications per computer that do not install
system services.

• Customize system-wide resources (for example, System Time, Display
Settings, Shares, Power Configuration, Printers, and so forth).

In practice, Power Users cannot install many legacy applications,
because these applications attempt to replace operating system files
during the setup process.

If you are concerned about ActiveX controls and security there is one
program that you should just avoid using and most of your ActiveX
security concerns will be taken care of.

John

 

[Bill]

Policy? Do you mean Group Policy objects (GPO)? Unless you intend to
have multiple users on the laptop or just want to "thinker" you don't
need to use GPO's. Otherwise, the information is in the link I provided
earlier, from that article:

:
I don't know - I'm just referring to Administrators ability to install programs, and
modify the OS. I'm assuming that this is a setting someplace? What, exactly, is "act as
part of the operating system"?

I don't want to be logged in as an Administrator during my daily work becaise I don't
want a glitch to overwrite OS components and drivers, or try to modify programs. This
can also restrict the damage a virus or spyware can do.

Bill

 

[John John]

...


:
I don't know - I'm just referring to Administrators ability to install programs, and
modify the OS. I'm assuming that this is a setting someplace? What, exactly, is "act as
part of the operating system"?

I don't want to be logged in as an Administrator during my daily work becaise I don't
want a glitch to overwrite OS components and drivers, or try to modify programs. This
can also restrict the damage a virus or spyware can do.

Hi Bill;

Administrators have all powers. If an Administrator finds out he can't
do something because a policy or other prevents it, he can simply remove
the policy or grant himself the necessary powers. You can create as
many user accounts as you need and as many types of accounts as you
need. Your security concerns regarding running the computer as an
Administrator for your day to day activities are valid concerns. Try
using a Power User account, it provides a good balance of power needs
without opening the computer right up to potential threats. You can
change the user group membership in the Control Panel Users and
Passwords or Right Click on My Computer and select Manage | Local Users
and Groups to define permissions and group membership.

John

 

[Bill]

Hi Bill;

Administrators have all powers. If an Administrator finds out he can't
do something because a policy or other prevents it, he can simply remove
the policy or grant himself the necessary powers. You can create as
many user accounts as you need and as many types of accounts as you
need. Your security concerns regarding running the computer as an
Administrator for your day to day activities are valid concerns. Try
using a Power User account, it provides a good balance of power needs
without opening the computer right up to potential threats. You can
change the user group membership in the Control Panel Users and
Passwords or Right Click on My Computer and select Manage | Local Users
and Groups to define permissions and group membership.

John

Look I understand all this, but that's still not coming close to answering my question.
Let me state it plainly:

What is the privilege/policy/permission/whatever that grants someone the ability to
install programs?

And, let me restate this again:
What, exactly, does "act as part of the operating system" mean?

Bill.

 

[John John]

What is the privilege/policy/permission/whatever that grants someone the ability to
install programs?

As far as I know in Windows 2000 there is no guaranteed way to prevent
users from installing programs. You can set Group Policy restrictions
on the Windows Installer Service:
(Computer Configuration\Administrative Templates\Windows
Components\Windows Installer)

The default security permissions for Administrators/Power Users/Users
are defined through a combination of NTFS Permissions as well as
predefined security templates and the secedit.sdb file. To access and
analyze these items run mmc in the Start Menu> Run Dialogue Box.
Click on the Console Menu (at the very top) and select Add/Remove
Snap-in... Click on the "Add..." button and select the desired Snap-in.
You'll want the Group Policy Snap-in. The Security Configuration and
Analysis Snap-in can also be useful to identify policies in place on the
computer.

What, exactly, does "act as part of the operating system" mean?

It means exactly what it says, the user will not be restricted by
security permissions and will be allowed to interact directly with the
Windows Executive files, it's almost the same as the System Account.
Granting this permission can be extremely dangerous as it can
potentially allow rogue processes and malware to bypass all security
settings and gain direct access to the Windows kernel and be seen a
trusted component of the operating system.

John