WinXP SP3 - Local Security Policy

[lmg]

We have a stand alone machine running windows XP SP3 which is used for
customers to access the internet. We would like the local administrator to
have full access to the machine but when the customer logs on we would like
to impose restrictions i.e eliminate access to control panel etc. Is it
possible to apply different local security policies to different users on a
stand alone machine? If so, could you point me in the right direction. Regards

 

[Doug Knox - [MS-MVP]]

Yes, but it takes a bit of work to do it with the usual work arounds.
Written for Win2K, but applies to XP as well:

http://technet2.microsoft.com/Windo...621f-4537-b311-1307df0105611033.mspx?mfr=true

Alternatively, see www.dougknox.com, Win XP Utilities, Windows XP Security
Console. This utility will allow you to apply many of the per-user
restrictions on a per-user basis.

 

[Dennis Dow]

We have a stand alone machine running windows XP SP3 which is used for
customers to access the internet. We would like the local administrator to
have full access to the machine but when the customer logs on we would like
to impose restrictions i.e eliminate access to control panel etc. Is it
possible to apply different local security policies to different users on a
stand alone machine? If so, could you point me in the right direction. Regards

I would suggest an alternative. Look at Microsoft's Steady State. It's
intended for the situation you describe and is much more robust. You
can set it up so visitors can browse all they wish, but can't alter the
core system. Administrators can sign on, do monthly updates, then lock
the system back down.

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Just a thought.
Dennis

 

[David Shen [MSFT]]

Dear Customer,

Thank you for posting in newsgroup. And thanks to all the members for the
contribution.

According to the description, you want to apply different local security
policies to different users on a Windows XP SP3 standalone machine. If I
have any misunderstanding, please feel free to let me know.

Based on the research, here is some information which may be helpful for
you.

Analysis and Suggestions:
=======================

When you use a Windows XP SP3 computer in a workgroup setting, you may have
to implement local policies on that computer that can apply to all users of
that computer, but not to administrators.

To implement local policies to all users except administrators, please
follow the steps:

1. Log on to the computer as an administrator.

2. Open your local security policy. To do this, do one of the following:

Click Start, click Run, type gpedit.msc, and then press ENTER.

3. Expand the User Configuration object, and then expand the Administrative
Templates object.

4. Enable whatever policies that you want (for example: "user
configuration\Administrative Templates\Control Panel\Prohibit access to the
Control Panel").

5. Close the Gpedit.msc Group Policy snap-in. Or, if you use MMC, save the
console as an icon to make it accessible later, and then log off the
computer.

6. Log on to the computer as an administrator.

You can verify in this logon session the policy changes that were made
earlier, because, by default, the local policies apply to all users, which
includes administrators.

7. Log off the computer, and then log on to the computer as all of the
other users for this computer for whom you want these policies to apply.
The policies are implemented for all of these users and the administrator.

Please note: Any user account that is not logged on to the computer at this
step cannot have the policies implemented for that account.

8. Log on to the computer as an administrator.

9. Click Start, point to Control Panel, and then click Folder Options.
Click the View tab, click Show Hidden Files and Folders, and then click OK
so that you can view the Group Policy hidden folder. Or, open Windows
Explorer, click Tools, and then click Folder Options to view these
settings.

10. Copy the Registry.pol file that is located in the
%Systemroot%\System32\GroupPolicy\User folder to a backup location (for
example, to a different hard disk, floppy disk, or folder).

11. Open your local policy again by using either the Gpedit.msc Group
Policy snap-in or your MMC icon, and then enable the exact features that
were disabled in the original policy that was created for that computer.

Please note: When you do this, Policy Editor creates a new Registry.pol
file.

12. Close your policy editor, and then copy the backup Registry.pol file
that you created in step 10 back into the
%Systemroot%\System32\GroupPolicy\User folder.

When you are prompted to replace the existing file, click Yes.

13. Log off the computer, and then log on as an administrator.

You can verify that the changes that were originally made are not
implemented for you because you have logged on to the computer as an
administrator.

14. Log off the computer, and then log on as another user (or users).

You can verify that the changes that were originally made are implemented
for you because you have logged on to the computer as a user (not an
administrator) to that computer.

15. Log on to the computer as an administrator to verify that the local
policy does not affect you as the local administrator to that computer.

Hope it helps.

David Shen
Microsoft Online Partner Support

 

[David Shen [MSFT]]

Dear Customer,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know. I am glad to be of assistance.

David Shen
Microsoft Online Partner Support

 

[lmg]

Sorry for the delay in getting back to you - All now sorted.

Many thanks for everybodies help.

Regards

 

[David Shen [MSFT]]

Dear Customer,

I am glad that the issue has been resolved. If you have other question,
please welcome to the newsgroup again.

Have a good day.

David Shen
Microsoft Online Partner Support