how to create a restricted user account in xp

[tynopik]

i can create an account (user) and make it a member of guests

however how do i lock it down further?

i tried gpedit.msc, but all restrictions applied to BOTH administrator AND guests

how can i create restrictions that apply to just to guest (and specifically disable access to certain directories. i can disable entire drives, but not individual directories)

 

[Guga]

use ntfs permissions to define the level of access users have.
if you use gpedit.msc, under computer configuration - windows settings - security - user rights you have the permissions groups have to perform several tasks.
Just add the user to one of those groups to give him that level of access.
With those two things together you will be able to secure your machine.

 

[mechBgon]

There is a distinction between the Guest account and the Limited class of accounts. You can simply create a new account in Control Panel > User Accounts and then switch it from the Computer Administrator class to the Limited class with a mouse click. This any help?

 

[tynopik]

> use ntfs permissions to define the level of access users have.

okay, i could have sworn that tab wasn't showing up yesterday except at the drive level, seems to be there now

> if you use gpedit.msc, under computer configuration - windows settings - security - user rights you have the permissions groups have to perform several tasks

those aren't the tasks i was looking to restrict. i was thinking more like 'disabling access to control panel', which you can set with gpedit.msc, but then it applies to every one :-/

> You can simply create a new account in Control Panel > User Accounts and then switch it from the Computer Administrator class to the Limited class with a mouse click

ok, so i lied, this in win2k3

don't ask

anyways it doesn't have that

also if you create a guest account it comes with that stupid high security internet thing that doesn't let you access non-trusted sites. You can uninstall it on the administrator account, but you can't uninstall it on guest account b/c it doesn't have sufficient priveleges

if you give the account administrator access, uninstall high internet security then reset it back to guest it automatically gets reinstalled

 

[mechBgon]

Create some Restricted User accounts. They're the equivalent of a Limited account on a standalone WinXP box. Forget the Guest thing. Actually, I'm wondering why the heck you are letting anyone who ought to be restricted come within 20 feet of the server's keyboard in the first place? Make them use their workstations.

 

[tynopik]

> Create some Restricted User accounts

i don't see a 'restricted user' group. i see administrators, backup operators, distributed com users, guests, network configuration operators, performance log users, performance monitor users, power users, print operators, remote desktop users, replicator, users, helpservicesgroup and telnet clients

> Actually, I'm wondering why the heck you are letting anyone who ought to be restricted come within 20 feet of the server's keyboard in the first place?

b/c it's not a server, it's just for home/workstation use (hence the 'don't ask' earlier)

if this was an actual server and i was the admin, i'd probably be fired for incompetence :-/

 

[mechBgon]

Try plain old "users" and see if that accomplishes what you want or not. Sorry about the Restricted Users thing.

 

[tynopik]

ARGH!

ntfs permissions suck

so i set 'administrators' to allow everything
i set 'users' to deny everything

guess what?

that's right! the administrator account gets denied too!

(and no 'administrator' is not part of 'users')

am i whacked or is there no way whatsoever to create a restricted account without either
1) restricting the adminstrator also
[or]
2) setting up a domain with active directory? (which is a little more than i want to do)