Re: Restriction
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Mar 2006 09:40:57 -0600
Hi Jon.
That is not true. Only a user that is also in the local administrators group
can manage membership in the local administrators group. What I would do is
to make sure that the membership of the local administrators group is what
you expect which can easily be done with the command net localgroup
administrators. If you remove a user from the administrators group and then
try to have them add themselves back make sure you first logoff as that user
to refresh their security token to reflect they are no longer a member of
the administrators group. Try it again with a user that you know for sure is
only a member of the users group. You can use the command net user username
to see a user's group membership under local group memberships. Also make
sure that the administrators group contains only individual users and not
any groups such as everyone, authenticated users, or interactive. --- Steve
"Jon" <Jon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D210866B-ACAA-4B8D-873E-4C1D72BBECB6@xxxxxxxxxxxxxxxx
Thanks, but I'm not sure I understand this; any user with any kind of
account
on XP can simply go in through Control Panel, into User Accounts, click on
'change my account type' and make themselves administrator.
My question is, as administrator, how do you change the limited account
settings so that they can no longer make themselves administrator?
"Steven L Umbach" wrote:
A regular user can NOT add themselves to the local administrators group.
What may have happened is that the built in administrator password is
blank
and they used that. That is very common in XP Home and can be changed by
booting into Safe Mode to access the administrator account. Any user that
is
also an administrator must also use a strong password that can not be
guessed. Another possibility is that they used a free utility to boot the
computer from a floppy or cdrom to change the built in administrator
account
to gain administrator access to the computer. Though not foolproof it can
help if the computer's cmos settings are password protected and
configured
to allow the computer to boot only from the hard drive. Given enough
time,
determination, and skill any computer that can be physically accessed by
a
malicious user can be taken over by that user. --- Steve
"Jon" <Jon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:787104D2-F26B-4AC2-BA24-A80A44D8DC78@xxxxxxxxxxxxxxxx
I've put myself on the XP system as administrator and my partner's kids
on
limited accounts. To my horror, a limited account user can change
*themselves* to administrator, with all that that gives acess to, and
there
appears to be no way in XP to stop this. Is there any way to truly
limit a
limted account, and why would XP have what's effectively an unlimited
limited
account anyway? Or have i just missed something really obvious?
Jon
"Brandon" wrote:
Thanks for the help. It worked the way I wanted and more than I
expected.
-Brandon
"Mike Bright MSP" wrote:
Brandon,
Ok, so you can use Doug's tool for this one,
Login to your sisters account and run Dougs "Security Console" tools
and you
can disable Desktop changes and a number of different settings in
their.
Apply the settings then log off. The next time your sister logs in
it
will
apply the restirctions. Dougs tool is available from:
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
The two options groups and the program to look at are "Disaply
Options"
and
"Desktop Settings".
Regards
Mike Bright MCP, MSP
e:mike.bright@xxxxxxxxxxxxxxx
.
- References:
- Re: Restriction
- From: Steven L Umbach
- Re: Restriction
- From: Jon
- Re: Restriction
- Prev by Date: Re: Connecting a disk from another computer
- Next by Date: Re: Smartcard logon in different domains
- Previous by thread: Re: Restriction
- Next by thread: Re: Locking Desktop after 15mins of Inactivity
- Index(es):
Relevant Pages
|
|
