I have a stand-a-lone workstation that I need to lock down. Whenever I set up local permissions they apply to BOTH the users and the administrator.
Does anyone know how to have permissions apply to only users and not administrators on a W2K workstation?
Admins can ONLY be Admins, but you can give a "guest account" certain permissions and they will NOT alter the Admin account at all.
You cannot delete the last Admin account either.
" a stand-a-lone workstation "
~ Why not just use the Admin account?
What I do is use Admin as User, and delete all accounts except the Guest account since you MUST have 1 Admin and 1 Guest account. Then I disable the Guest with the BIG lockout RED X, and I am safe as can be.
INFO:
"Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted"
"Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications"
"Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications"
My real question (June 20, 02) was much different but since I got no replies to it I decided to make it easier and see if anyone would answer.
Have you ever seen M$ Q293655. It is suppose to be instructions for setting up two different profiles one for users one for admin. I can't get it to work and I just wondered if anyone else had.
Surely it's not good security practice to run a workstation on an every-day basis as Administrator, particularly if the workstation has constant internet access?
Unix certainly frowns on running as root and not as a user.
I don't want to, and don't, run the workstation as the administrator. The problem is the restrictions I place on the users are also applied to the administartor.
Example: If I lock the users out of the control pannel then the administrator is locked out. To make video setting changes I must go through the hassel of changing the profile, making the change, then resetting the profile.
M$ says in Q293655 that the steps listed will keep the profile from being applied to the administrator. I can't make it work so I was looking to see if anyone else had.
I do not have that problem, so I can not say either way. I know there is a check box that allows seperate settings for everyone (in essence) when you are setting up the user.
What I told you to do in the first place is use a "guest account" then ADD what you want ... that way you are not restricting anything ... therefore nothing can be restricted from the Admin. ... that is the only logical go-around I can make of it.
I am confussed. Once you create an additional guest account you can name it and password it any way you want. You can even name it "Administration" or something like that.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.