XP Specific Program Access for Limited User Accounts

  • Thread starter Thread starter Vaughn
  • Start date Start date
V

Vaughn

Our small business has XP Pro, and I want to allow our
receptionist (for whom I've created a limited account) to
run Quickbooks, IE, Office and other current programs,
but I don't want her to be able to install new software.
How do i allow a limited user account in XP access to a
specific programs?
 
The most direct way to do this for a small number of
machines is by control with the NTFS permissions on
the files needed to run the application.
For example, one of these apps installed to
c:\program files\software vendor\app name
In the default the Users group has read/execute on this.
You only want specific accounts to use this so you
define a custom group, app-users for example, and
place as members of app-users those account that
should have the ability to run the app. Then, on the
folder of the app in Program Files you replace the
Users group with the app-users group.
If there are many machines, then you might wish to
look at using software restriction policy if GPOs in
your Active Directory.
Either way it is less confusing for the accounts that do
not have access if they do not even have shortcuts for
the apps they cannot run. To adjust this you need to
remove the start menu program items and if present
items in \desktop from the All Users profile after having
copied them to the individual profiles that should have
access.
 
I believe that I have omitted part of your inquery.
A limited account cannot install software that has an
installer that writes to the registry and installs for all
accounts. It can however install software that does
not use much except file copy. This last type of install
really cannot be prevented if the account has write access
anywhere (which it will if it is a useful account).
You can use group policy to advertise or assign applications
to specific account, and also to control what specific account
can execute. This last use of software restriction policy is
really the only way to prevent a limited user from, not installing,
but from having any use of what they installed (making their
installing useless in those cases where write access does allow
for simple installs.)
 
Back
Top