HELP - XP Pro User/Group Policy Nightmare

[kwinsw]

Hi,

I've never used XP Pro's user and group policy settings before, and I'm sure I must be missing something obvious but I'm tearing my hair out here.

I have to set-up an XP Pro system for users of varying ages, abilities and levels of responsible behaviour. I want to class them all in to two, maybe three, groups. I then want to assign each of those groups different privileges: the right to install or not to install, to download from the Web, how much disk space they can use, and so on.

I've trawled through the MMC group policy snapin and I can find lots of useful settings, but no way of assinging those settings to different groups or individual users on the local machine.

Can anyone help, this is driving me nuts.

Any and all advice much appreciated.

KW

 

[Eltano1]

The easy way is to create groups with names that you identify by their rights, which you will assign (to each group what kind of rights they have) and then add the users to each group .Don't forget that you need to be sign on as the administrator, and you are the only one as such. No one else can be the administrator until you add someone within your group as another admin.
Good luck and Happy new Year.

Eltano

 

[Woodie]

I think you're mixing two slightly different things:

Group Policy: These are DOMAIN-based policies that can apply to individual or groups of Users or Computers. These include configuring services, logon scripts, registry entries, installing software, etc... Also assinging/restricting access or privileges.

Local Users/Groups: Assuming you're not using a W2K or 2K3 domain, you're creating all local ids on the one workstation. Assign the users to the various LOcal groups (Administrators, Power Users, Users...etc) as you think necessary.
Users - least rights. May not even be able to install a local printer. Cannot generally install software, but can execute many programs from the "run" command.
Power Users - some rights. Can install printers, create (local) share-points, may be able to install certain types of software.
Administrators - All rights!

Using the lcal groups is the easiest, and gets you a certain amount of better lockdown. Particularly problematic are games. Many require Admin in order to install, and some of those require Admin in order to run. Stupid, but there you are.

 

[Eltano1]

Woodie, you are correct, I did not pay attention that he was talking to XP Pro, and not a DC enviroment. What you suggested is a better way.
Thanks for the clarification
Happy New Year

Eltano

 

[kwinsw]

Hi,

Thanks all for the advice. I will create the local groups later today. But how do I assign specific rights to a particular group?

I know if I open the MMC with the Local Computer Policy Snap-in loaded I can go to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment and assign some things there.

In other areas of the Local Computer Policy Snapin, though, you can't assign a particular privilge to a user or group of users. For instance, if I go to Computer Configuration > Administrative Templates > Windows Components > Windows Installer, I can prohibit user installs. There is, however, no specificity about which users or groups I can apply this to. The only settings are enable, disable or not configured.

I would like to disallow user installs for all users but one and allow them for all power users. How would I set this up? Where in the MMC do I need to go? Do I need another policy snapin.

I know this probably seems really obvious to you guys, but like I said, this is the first time i've dabbled around with this and I want to get it right?

Any help much appreciated.

Cheers

KW

 

[Woodie]

Local Computer Policy applies to the ENTIRE local computer. It's part of the GPO thing, and REQUIRES a domain. Be VERY careful what you configure here, because it is possible for you to lock yourself out of the machine, since the settings even apply to the local Administration. Beware dabbling!

All the local groups mentioned are built-in groups, provided by MS. They already have permissions assigned to them, so you're pretty much stuck with those.

 

[kwinsw]

So if I create a new group for local users on a XP pro computer how can I assign permissions and privileges to that new group: particularly privliges, such as whether or not the users in that group can use the installer, that aren't found in Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment?

What I really want to know is how you assign prvileges and permission to groups when those privilages and permissions aren't found in Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment?

Can anyone tell me?

Thanks for all your help so far?

 

[Woodie]

You can't.

The way the built-in groups work (for many things) is that the directory or drives or registry keys already have permissions established. For example, on my XP build...the Access Control List (ACL) for the c:\ drive is:

c:\
BUILTIN\AdministratorsOI)(CI)F
NT AUTHORITY\SYSTEMOI)(CI)F
CREATOR OWNEROI)(CI)(IO)F
BUILTIN\UsersOI)(CI)R
BUILTIN\UsersCI)(special access
FILE_APPEND_DATA

BUILTIN\UsersCI)(IO)(special access
FILE_WRITE_DATA

Everyone:R

F = Full Control, R = READ

Program Files:
c:\Program Files
BUILTIN\Users:R
BUILTIN\UsersOI)(CI)(IO)(special access
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Power Users:C
BUILTIN\Power UsersOI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\AdministratorsOI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEMOI)(CI)(IO)F
BUILTIN\Administrators:F
CREATOR OWNEROI)(CI)(IO)F

Windows:
C:\WINDOWS
BUILTIN\Users:R
BUILTIN\UsersOI)(CI)(IO)(special access
GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Power Users:C
BUILTIN\Power UsersOI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\AdministratorsOI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEMOI)(CI)(IO)F
BUILTIN\Administrators:F
CREATOR OWNEROI)(CI)(IO)F

So you'll notice that Users cannot write to the root of the drive, to the Program Files folder or to the Windows folder.

 

[kwinsw]

Crikey, this is going to be a tough job then. I've got to set up an XP Pro system for severa users with diferent permissions for each. I'll have to figure out another way.

Thanks for all the help and advice.

 

[Woodie]

As I said...biggest bang for buck is to try the builtin groups, and see what problems you run into. You may find they work well enough to get started.

The other option (since you have multiple workstations?) is to build a domain, and then you can leverage GPOs. A great opportunity for you to learn a whole lot more about Windows OS and security!

 

[kwinsw]

Hi,

Further to the above:

I'm trying to customise the user accounts on a standalone XP Pro PC. I want to apply different settings to the admin and non-admin accounts.

I?m using this fix here:

http://support.microsoft.com/d...x?scid=kb;en-us;293655

I apply the settings, log into and out of all the relevant accounts copy Registry.pol from the User folder in group policies (tried copying both and just from machine, seems to have no effect). Once I have a copy of Registry.pol I reverse the settings I?ve applied, log into and out of the user account, then copy the old version of Registry.pol back into the User folder of group policies.

Everything works fine: the restrictions are applied to all accounts accept the admin accounts. Until, that is, I reboot, at which point the changes I made in the admin account take effect and the restrictions are lifted from the non-admin accounts.

For reference, the setting I?ve been using to test this workaround was the Disable changing Advanced page settings under User Configuration > Administrative Templates > Windows Components > Internet Explorer.

Can anyone tell me why this won?t stick after a reboot and what I have to do to get it to stick?

Many Thanks

kwinsw