|
|
1
22nd October 10:10
External User
Posts: 1
|
Stand-alone (non-networked) computer - restrict one account but not another
I've got a stand-alone (non-networked) Windows 2000 Pro machine with
only two accounts - one Administrator (with a password) and one User (no password). Windows is set to auto-login to the User account at boot up. I want to lock down the User account to disable stuff like the Control Panel, Display settings, Taskbar settings, etc. However, I want to leave these things enabled when logged in under the Administrator account. Using the Group Policy editor, I can disable what I want but it affects both accounts. How can I selectively apply the Group Policy settings to only the User account? TIA -- Tim Rude timrude@NOSPAM.hotmail.com (remove NOSPAM. for correct email address) |
|
|
SPONSORED LINKS BY GOOGLE |
|
2
22nd October 10:10
External User
Posts: 1
|
Stand-alone (non-networked) computer - restrict one account but not another
Hi Tim
There's no supported method for achieving this. That said, you can edit the policy when logged in as an admin and then deny the admin read permissions on %windir%\system32\GroupPolicy. When the admin logs in, the local policy won't apply to them because they can't read it. When the user logs in, they will still get the policy. The catch here is that once read permissions are denied for the admin, the admin can't edit the policy any more. You have to add read permissions back to be able to edit. The danger is then that the policy may apply while you're in the middle of editing and depending on the settings, the admin account may be restricted to a point where they can no longer function. As I said, this is NOT supported. You stand a good chance of getting yourself into trouble and having to flatten the machine. -- Kind regards -- Mark Renoden [MSFT] Windows Platform Support Team Email: markreno@online.microsoft.com Please note you'll need to strip ".online" from my email address to email me; I'll post a response back to the group. This posting is provided "AS IS" with no warranties, and confers no rights. |
|
|
|
3
22nd October 10:10
External User
Posts: 1
|
Stand-alone (non-networked) computer - restrict one account but not another
Thanks Mark. I appreciate the idea (and the warning). I've tried it and
it seems to work pretty well. I dropped shortcuts to a couple of .cmd files on the Admin desktop that apply/remove the read permissions (using CACLS) as well as a shortcut to gpedit.msc. That way I've hopefully got a way back in if I let the door slam on myself. So far it's working pretty good. I'm being careful not to enable any policies that would totally shut me down. -- Tim Rude timrude@NOSPAM.hotmail.com (remove NOSPAM. for correct email address) to |
|
|
|
SPONSORED LINKS BY GOOGLE |
|
|
Linear Mode
