Re: Locking Down A Computer Lab

From: Nepatsfan (nepatsfan_at_SBXXXIX.com)
Date: 05/14/05 

Date: Fri, 13 May 2005 19:31:52 -0400

I'm guessing that these machines are not part of a domain. If
they are, post back with that info as that would make a big
difference in my answer. I'm also guessing that you have the
Professional version of XP as opposed to Home Edition.

That said, here are some suggestions you might consider
implementing:

1. Put passwords on both the built in administrator account and
the account you created that is a member of the administrators
group. Make sure it's something you'll remember but your users
won't be able to guess. It's OK if it's the same for both
accounts.

If these machines have floppy drives or, better yet, you have a
USB flash drive you might want to run the "Forgotten Password
wizard". Here's how:

http://www.petri.co.il/what's_the_password_reset_disk_in_windows_xp.htm

I'd suggest leaving the limited account with a blank password.

2. Configure all machines to logon with the limited accounts by
doing the following:

Go to Start -> Run.
Enter the following into the Open box:

control userpasswords2

Click OK.
Uncheck "Users must enter a user name and password to use this
computer".
In the box that pops up, replace Administrator in the "User Name"
box with your limited user account. Enter your password twice.
Note: You can leave the password box blank if your account does
not have a password.
Click OK twice and reboot to see if you get the desired results.

When you want to logon with your administrative account you can
log off the limited account. The Welcome screen will be displayed
which should contain the icon for your administrative account.
Alternatively, you can hold down the shift key while windows is
starting. This will bring you directly to the Welcome screen.

3. If running XP Professional in a workgroup:

Right click on My Computer and select Manage from the drop down
menu.
In the Local Users and Groups section click on the Users.
Right click on the limited account and select Properties.
Put a check mark in the box next to "User cannot change password"
as well as "Password never expires".
This should prevent someone from assigning a password to this
account. If you don't do this you're probably going to find
yourself having to reset the password often.

4. If you plan on using the Local Group Policy to restrict the
limited accounts you will need to use one of the procedures
outlined in these articles to prevent the policies from being
applied to members of the administrators group:

Applies to XP as well as Win2K:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B293655

Group policy in a workgroup:
http://www.theeldergeek.com/gp07.htm

Be careful with Group Policy. It's not that hard to configure it
in such a way that you lock yourself out of the computer.

Good luck 

-- 
Nepatsfan
"mjfmn" <mjfmn@discussions.microsoft.com> wrote in message 
news:38DC0237-0AE0-4C91-85C0-FCC9C7644890@microsoft.com...
> Jerry, thanks for the response.  Sadly, I don't have the 
> opportunity to get
> those books (we don't even have a book store in our little 
> town), or that
> much time.  The lab goes into use on Tuesday, May 17th.  If 
> someone could
> just tell me what I need to do to accomplish these two tasks 
> (going to a
> restricted user at boot and / or changing the default login to 
> a restricted
> user), that would get me far enough to lock it down by the time 
> the doors
> open.
>
> Thanks again!
> Mike
>
> "Jerry" wrote:
>
>> Try the Group Policy Editor and do some reading:
>>
>> Windows XP Booklist
>>
>> Microsoft Windows XP Inside Out 2nd ed  ISBN 0-7356-2044-X
>> Microsoft Windows XP Professional Resource Kit 2nd ed  ISBN 
>> 0-7356-1974-3
>> Microsoft Windows Command-Line  ISBN 0-7356-2038-5
>> Windows XP Pro 2nd ed The Missing Manual  ISBN 0-596-00898-8
>> Windows XP in a Nutshell, 2nd Edition  ISBN 0-596-00900-3
>> Windows XP Annoyances, 2nd ed  ISBN 0-596-00876-7
>> Windows XP Hacks, 2nd ed  ISBN 0-596-0000918-6
>> Windows XP Solutions  ISBN 0-7645-6773-X
>> Windows XP Speed Solutions  ISBN 0-7645-7814-6
>> Guide to Home Networking  ISBN 0-7645-4473-X
>>
>> Downloadable Guides
>>
>> XP Tweak Guide (TweakGuides_XPTC.zip) from 
>> wwww.TweakGuides.com
>> Windows Registry Guide (registryguide2003.exe) from 
>> www.winguides.com
>> Error Message for Windows (MSWinErr.zip) from 
>> www.gregorybraun.com
>>
>> "mjfmn" <mjfmn@discussions.microsoft.com> wrote in message
>> news:1B199E31-2849-4524-BA18-4C59387D6031@microsoft.com...
>> > Hello!  I have 16 XP SP2 machines I just installed in a 
>> > computer lab, and
>> > I
>> > want to lock them down.  I got each of them setup today, 
>> > used a password
>> > for
>> > the administrator, then setup a new user for each one 
>> > (lab01, lab02,
>> > etc.).
>> > When I was all done I wanted to change the permission on the 
>> > user from
>> > administrator level to restricted, so I rebooted, went into 
>> > safe mode as
>> > administrator.  I was told I couldn't change the user from 
>> > administrator
>> > because there had to be one computer administrator (I 
>> > thought the
>> > "administrator" log in was that?).  I created a new user 
>> > that I would give
>> > low rights to, but when the computer is booted up it gives 
>> > the option of
>> > choosing a users - that kind of negates what I'm trying to 
>> > do!  I'd just
>> > like
>> > it so the computer boots up to the restricted user.
>> >
>> > I need to lock down these computer so no one installs any 
>> > software,
>> > disables
>> > antivirus or Adaware, etc.  Does anyone have any tips I can 
>> > use?  Thanks
>> > so
>> > much!
>> >
>> > Mike, MIS Director
>>
>>
>>

Relevant Pages