Setting permissions on Win XP pro

Ive got a small problem I havent been able to figure out after searching all over the net, hopefully someone here has dealt with this already. Ive got a couple pcs that are used by employees at an office and I would like to make certain restrictions. Specifically, all i would like to change is that the account is capable of everything that the admin can do, just that this account is not allowed to install/uninstall programs. Changing the user account type from Admin to Limited doesnt cut it since the limited account doesnt allow certain applications to run that need access to certain resources etc. Ive looked all over in the Administrative Tools>Computer Management and havent been able to find the place to make this small change; that is if it is at all possible.
Hopefully this is doable. Thanks for the help.

start >> Run >> type: gpedit.msc

I am not sure if you can do what you want but check it out.

Go START>MY COMPUTER>MANAGE>LOCAL USERS AND GROUPS>USERS>Select the user you would like to change>PROPERTIES>MEMBER OF>then add or remove the user group that you would like them to be in.
I have my son and wife set up as power users. I hope this helps you out.

As a power user what are some of their restrictions in Windows?

As a power user what are some of their restrictions in Windows?

Click to expand...

The Power User class can perform any task except for those reserved for Administrators. They're allowed to carry out functions that will not directly affect the OS or risk security. All domain accounts are part of the Power Users group on public XP computers.

Power Users Can...

1. Create local user accounts
2. Modify user accounts which they've created
3. Change user permissions on users, power users, and guests
4. Install and run applications that don't affect the OS
5. Customize settings and resources on the Control Panel, such as Printers, Date/Time, and Power Options
6. Do anything a User can

Power Users Cannot...

1. Access other users' data without permission
2. Delete or modify user accounts they didn't create

Thanks for the info redduc900. So as you stated power users CAN install software. Thats the one thing that I would like to restrict. Does anyone know how to specifically change that in say the registry or when creating a security template? Moreover, is there any way to simply restrict installs?

How about just a Users group? Users can perform common tasks, but have little power to affect the computer outside of their own account.

Users Can...

1. Create, modify, and delete their own data files
2. Run system-wide or personally installed applications
3. Change their personal settings
4. Install programs for their own use only
5. Access the network
6. Print to local or networked printers
7. Do anything a Guest can

Users Cannot...

1. Modify system-wide settings, OS files, or program files
2. Affect other users' data or desktop settings
3. Install applications that can be run by other users
4. Add printers
5. Configure the system for file sharing

...of course they wouldn't have admin privileges, as you'd like. I'll do some research, and see if just restricting the ability to install/uninstall programs is possible. I can tell you how to specify applications and filenames that users are restricted from running.

Open your Registry (Start | Run | Type regedit and click OK) | Expand the following branch...

HKEY_CURRENT_USER | Software | Microsoft | Windows | CurrentVersion | Policies | Explorer

Create a new DWORD value and name it DisallowRun. Set the value to 1 to enable application restrictions or 0 to allow all applications to run. Then create a new sub-key called...

Disallow Run

Highlight this key, then in the right pane, right click and select New-->String value. Give it "1" for the name, without the quotes. Double click this new value and enter the actual file name of the executable you wish to restrict this user from running...example: calc.exe (this prevents this user from running Calculator). They'll get a "This operation has been cancelled message" when they try. I would imagine this would also work in conjunction with limiting the ability of a user from actually installing a program.

For additional entries, just give the "values" names in numerical order...1, 2, 3, 4 and so on, and define the applications the are to be restricted. Creating a new string value for each application, named as consecutive numbers, and setting the value to the filename to be restricted (e.g. "regedit.exe").

redduc900 thanks a lot for the info. now that im thinking about it, maybe theres a way to not allow the user to run the exe that is executed for install and uninstalls. mm, maybe not, but ill look around. thanks for the help.

I went and pulled these

Are in: run | gpedit.msc

User Configuration\Administrative Templates\Windows Components\Windows Installer—configure--Search Order

"Specifies the order in which Windows Installer searches for installation files.
By default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
To change the search order, enable the policy, and then type the letters representing each file source in the order that you want Windows Installer to search.:
-- "n" represents the network;
-- "m" represents media;
-- "u" represents URL, or the Internet.
To exclude a file source, omit or delete the letter representing that source type."



User Configuration\Administrative Templates\Windows Components\Windows Installer—configure--Disable Media Sources for any install

“Prevents users from installing programs from removable media.
If a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears, stating that the feature cannot be found.
This policy applies even when the installation is running in the user's security context.”



User Configuration\Administrative Templates\Control Panel\Add/Remove Programs\Disable Add Remove Programs—configure -- Hide Add New Programs page

“Removes the Add New Programs button from the Add/Remove Programs bar. As a result, users cannot view or change the attached page.
The Add New Programs button lets users install programs published or assigned by a system administrator.”



User Configuration\Administrative Templates\Control Panel\Add/Remove Programs\Disable Add Remove Programs—configure -- Disable Add Remove Programs

"Prevents users from using Add/Remove Programs.
This policy removes Add/Remove Programs from Control Panel and removes the Add/Remove Programs item from menus.
Add/Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 and a wide variety of Windows programs. Programs published or assigned to the user appear in Add/Remove Programs.
If you disable this policy or do not configure it, Add/Remove Programs is available to all users.
When enabled, this policy takes precedence over the other policies in this folder.
This policy does not prevent users from using other tools and methods to install or uninstall programs."




User Configuration\Administrative Templates\Windows Components\Windows Update—configure—Remove access to use all windows update features

“This setting allows you to remove access to Windows update.
If you enable this setting, all Windows Update features will be removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com and from the Windows Update hyperlink on the Start menu and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.”



User Configuration\Administrative Templates\system—configure—disable the command prompt

“Prevents users from running the interactive command prompt, Cmd.exe. This policy also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy and the user tries to open a command window, the system displays a message explaining that a policy prevents the action.
Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.”



User Configuration\Administrative Templates\Start Menu and Task Bar—configure—Remove Run Menu from the Start Menu


“Removes the Run command from the Start menu and removes the New Task (Run) command from Task Manager. Also, users with extended keyboards can no longer display the Run dialog box by pressing Application key (the key with the Windows logo) + R.
This policy affects the specified interface only. It does not prevents users from using other methods to run programs.”



I think if you lock all these you willl have what you want, If you want to be more specific? I could perhaps help more.

Hope this helps

turd, that was very informative. when i have a moment I will definately give this a try. However, at the moment i simply glanced over this, and most of the restrictions for installations that i saw were the removable drives. can you think of anyway to stop any other types of installs? as removable media wont cut it- see, most of the apps that employees have been installing are downloads from the net.

Well you could easily disable them from doing any internet downloading, but I dont know if that is your intent.

If you are talking IE components or patches let me know, cause that is different.

I think if you apply all those tweeks I listed above AND this final one u should be there

RUN | gpedit.msc

User Configuration\Administrative Templates\System\dont

run specified Windows applications

enable it then hit add

and add: setup.exe
install.exe


All that wont leave them much room but if you were more specific we could really nail them.