Can you further limit a Limited User Account?

By billyellis ยท 20 replies
Mar 20, 2008
  1. Hi there,

    I need to add a user account for someone that I do not trust at all (don't ask).

    The standard Limited User Account, however, states only that the limited user "cannot always install programs" - not that they can not install any programs at all.

    Is there any way to restrict a user account so that the user can not install ANY software?? I really don't want keyloggers, etc. being installed without my knowledge. I also would like to prevent this user from using IE and force them to use FF instead - is that possible?

    Is there any way to get more specific about permissions than the simple choice between a limited and administrator account types??

    Thanks. :)
  2. As a default XP/2K are setup to pretty much allow everything, there is a usergroup called "Everyone" that can pretty much access anything, this is not as secure as properly authenticated user groups. You have to redefine a whole new set of permissions in order to change this.

    The best way to ensure that a user can never execute IE is to place them in a usergroup that can only access certain areas and make sure that IE is not one of these.

    If you have 2k or XP Pro you should be able to do this quite easily and MS's knowledgebase contains such info, for XP home you're going to find it more difficult, if not impossible to do due to restrictions on that OS. I'm not sure about Vista but I believe that Basic and Business have the same sort fo differences, so if you have Business then it should be do-able but if you're lumbered with Basic then maybe not, but I'm not sure on that one.
  3. jobeard

    jobeard TS Ambassador Posts: 11,138   +985

    basic concept is GPO software restriction(s) but you need XP/PRO

    here's the outline

    see specifically table 5,6

    By moving userid 'joey untrusted' into the Everyone group, you would have
    less impact and direct control

    Lastly you may like to control the installer (msi) and InstallShield.
  4. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    Crap. I am stuck with XP Home. Sounds like there is not much I can do?
  5. jobeard

    jobeard TS Ambassador Posts: 11,138   +985

    Joe User can only install in his profile area, eg:
    \documents & settings\joe user\*HERE*

    running as an LUA account, the system is safe and anything joe-user on 'contract'
    will not effect any other user nor the system
    even keyloggers (they can run and if they do, only joe-user is exposed).

    1- make sure you have at least a 15 character password for the Admin account
    2- boot into Safe Mode and protect the hidden Account
    login as the Administrator ; cp-> User Accounts->change Administrator -> change or add password (again 15 character or more) ​

    get a copy of Spybot S&D
    Install it in YOUR private area (requires Admin account)

    Periodically use Mode->advanced
    and monitor programs running at startup time

    and you can scan for issues via Settings
  6. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    Cool. Thanks for the advice.

    One other question - is there any way, short of encrypting files/folders (which I don't want to do because I have had problems with this before) to prevent a limited user from opening files/folders outside of the ones they themselves create?

    Specifically, I have a lot of work in the 'processing' stage. A limited user can not delete or change files that are not theirs, but I created such an account and logged in and was able to open and read just about any file I wanted to. Is there any way other than encrypting most of the hard drive to prevent other users from reading my files??

    Is there some way to enable the "Make this folder private" option under the Folder Properties-Sharing tab for hard drive folders. I don't want to move all folders into my User Profile, but it would be nice if the OS let me make a similar choice for other folders.

    Years ago on another computer I remember being able to adjust permissions for folders (e.g., read,write,modify, etc.), and that was before XP, so I am surprised that I can not find an easy way to control this now. The only current reference I can find in the Help is for "Tasks" (whatever those are?).

    Any way to control view access to files on a shared (XP Home) computer??

  7. jobeard

    jobeard TS Ambassador Posts: 11,138   +985

    Very dangerous too. You must have a recovery agent (google for it)
    or if you change your login password, you lose the encryption key!!
    1- always create private data in your own profile area \documents & settings\your-login\ not outside it
    2- there's an option Make Data Private when creating a New User ID,

    I believe you could use an ACL to force R/W to OWNER and exclude READ to everyone else.

    the program is cacls but make sure you read-up before you start.

    the alternative (using a GUI) is to
    1- boot Safe Mode
    2- login as Admin
    3- find the folder, right click->properties
    4- Security tab​

    now (a) take ownership (as admin)
    then add user (your login) and give full control

    make sure you check both boxes on the bottom of the diaglog so as to
    replace all permissions on all the child objects.
    do not change permissions for the Everyone group!

    AGAIN:- read-up on XP Take Ownership
  8. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    Thanks! Looks like I have some reading to do. :grinthumb
  9. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    OK, I have a follow-up question.

    First I wanted to set up a (very) limited user account.

    Once that is done, how do I limit installed programs so that they only run from that account???

    Specifically, software for a webcam and the internet program (e.g., Windows Live Messenger) that uses it - neither will let me install from the limited account. But I don't want these programs installed on my administrator account, starting up a bunch of crap that I don't want running all the time and posing unknown security risks.

    Is there a way, as the administrator, to install software but then adjust settings/permissions to determine which users may run these programs (and block other accounts - including the admin account - from running them)??

  10. jobeard

    jobeard TS Ambassador Posts: 11,138   +985

    create a folder like
    \Documents and Settings\limited-user-id\Program Files​
    Better documentation shows
    Windows XP builds the Start menu for a user based on program shortcuts that are stored by default in two locations:
    1. The \Documents and Settings\All Users\Start Menu folder. This folder contains program shortcuts that are included on the Start menu for all user accounts.
    2. The \Documents and Settings\limited-user-id \Start Menu folder. This folder contains program shortcuts that are specific to a particular user profile.
    the limited-user-id can install there and only that user will have access to those programs.

    There's still the issue for some registry entries at install time that may fail due to
    the installer attempting to update services or run-at-startup.

    If the install by limited-user-id fails, then you can
    perform the install for him/her:
    login to limited-user-id
    find the Setup.exc or *.msi file needed
    right-click and use Run As ​
    which will prompt for an Admin Account
    and you can enter the admin passwd
  11. freemont

    freemont TS Rookie Posts: 20

  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I was trying to do this exact same thing a week ago (on Xp Home that a user wanted his son to have as little to edit as possible)

    Well after working out that Home Limited account wasn't very safe, I ended up down loading SteadyState (how strange!)

    Well this was excellent, all the things I could do, but all of a sudden I could not log into the limitted account any longer :( So I reversed everything, and all was ok again. It must be that it works on an Admin account I thought. So I made the other user Admin and ran SteadyState again on the main Admin account again. Logging back in to the kid's Admin account and then making it limitted again, guess what, I couldn't log back in again. Arrrgh!

    I eventually gave up, put everything back to normal, and I'm still wondering what the heck happened with this SteadyState !!

    The above advice from jobeard may help me though.

    Has anyone got SteadyState to work on Xp Home limitted account?
    (also I think I'm spelling limitted wrong, but can't be stuffed checking !)
  13. freemont

    freemont TS Rookie Posts: 20

    I can't imagine what the problem was there. :-\

    I've used SteadyState without issue. I would always make changes to a Limited account while logged in as an Admin, though.
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I just want to clear that in my mind.

    Yes, originally the kid's account was Limited, I logged into the other account (having Admin rights) and ran SteadyState from in there (editing the Limited account) And the rest is as above.

    I did spend an hour going through SteadyState's settings checkig and re-checking, actually it's good but not exceptionally easy to use.
    By the way, I have only used it once (a week ago) and I was worried using it on someone else's pc. But maybe I should try again. (sadly I don't have Home to test, well I could install it, but I hope I don't have to.)

    What am I doing ! Apologies to Billyellis the original poster.
    I really did forget where I was, I think I thought I was in chat or something. Sorry about all this.
  15. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    What, did you think I was going to flame you for discussing something relevant to my post? Are you kidding?

    The more talk like this the better. I'm still trying to figure out how to get set up for what I want. I just downloaded SteadyState, so I am very interested to hear of problems people have had with it. It will make me a little more alert when I install/run it. So thanks!
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Ok then.

    Well I think I locked out the all users menu (actually I'm sure I did this intentionaly)
    As I only wanted the Limited accounts program group to show.
    But I believe that may have been the reason why it stuffed up (ie something was trying to autostart from there, and couldn't)

    I need to test it more though before giving any advice or concerns (once is not a real good test on a mostly unknown system)

    I also found out that when I reversed my changes, the kids Documents and settings data, had somehow moved into another account username-backup (although not showing as another account in users (Control Panel) Thankfully I found and restored all his data (which was missing after reversing!)

    So maybe backup the account first.
  17. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    OK, tried it quickly with no time to really read up on it. It made changes to my start menu (added separate "Log off" and "Turn off" options instead of the one Shut down that was there before, and both they and the windows they bring up are in the heinous XP look and do not match my Classic Desktop) and when I Ctrl-Alt-Del I have now lost the window with the 6 choices - it now just pops up the Task Manager and I can no longer Lock the computer except through the Shut Down tab in the Task Manager. What a piece of crap program! :mad: :mad: :mad:

    I uninstalled and did not get back my original configuration and function. C-A-D still just gives me the Task Manager. I guess I will have to try and figure out what happened later (I don't have time at the moment). but if anyone else had this problem and found a way to resolve it, I would appreciate a how-to...

    To start with, why the F does a program that is supposed to be for enhancing security on shared computers TAKE AWAY the ability to LOCK the computer (or at least make it much more difficult to do so)???? Sorry for shouting, but I am really honked off at the moment...
  18. freemont

    freemont TS Rookie Posts: 20

    With multiple users it's more convenient to have a Log Off button IMO.
    Ctrl Pnl, User Accounts, Change the way etc, uncheck Use Welcome Screen.
    Try hitting Winkey+L
    Well, I understand you're ticked, but it sounds like most of the problem is just cosmetic stuff. Not security-related, IOW. I mean, who cares what the logoff screen looks like? :-\
    But, to each his own I suppose. ;-)
  19. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    A. Making the Lock feature more cryptic for non-expert users is not a security issue to you?

    B. PM me your home address - since cosmetics are no big deal to you, I will come over and repaint your house in a surprise color scheme. I am thinking plaid...

    It is the principle, Freemont, the same principle that Microsoft has been criticized for for 15-20 years - that they know better than you what you want. If I have my Desktop set as Windows Classic because aesthetically that is my preference, they have no business over-riding my choice, especially when I am adding a program to try and bridge one of the many major gaps in the security of their OS! Not to mention the world's general distrust of MS. If they made visible changes that I can easily fix, it begs the question: What unseen changes were made that I don't know about?

    Anyway, thank you for the suggestions. When I get back on that computer I will take a closer look. But as I was heading out the door I simply wanted to add a quick note of dissatisfaction to this thread in case someone else searches for Steady State and is debating whether or not to install it. They should have as much information at their disposal prior to that decision as possible, IMHO
  20. freemont

    freemont TS Rookie Posts: 20

    Most non-expert users never intentionally lock their computers anyway, trust me on that. ;-) Anyway, Task Manager on C-A-D is default behavior on XP machines. Most non-expert users never see the screen you see.
    Oh come on, really now. How about argyle?

    Heheh, I couldn't agree more. Microsoft's constant hand-holding and second-guessing and "do it our way or hit the highway" attitude are annoying. Notice in my system specs - I don't use their overpriced crappy software, and wouldn't even if it were free. That said, it shouldn't surprise me that you and others are having trouble with SteadyState. It's a shame, because it seemed to me to be very useful when I needed it for some machines I'm responsible for.
    Fair enough. I regret that my suggestion has caused you such aggravation.
  21. billyellis

    billyellis TS Enthusiast Topic Starter Posts: 155

    Bah. I hate it when people who have gotten me all fired up take the wind out of my sails by being decent. It's so darned inconvenient. ;)

    No harm, no foul. Your opinions are just as valid as mine. It is conceivable (just on the edge of possibility, mind you) that I might have been overreacting... Just a little. :eek:
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...