Group/user policy question...

Monkey34

Monkey34

Supreme [H]ardness
Joined
Apr 11, 2003
Messages
5,140
Running WinXP pro here btw.

I wasn't happy with the default set-up of my childrens computer (it has a login for myself, and each of my kids)..seeing as it created them all as administrators. I am inherently cautious where my kids are concerned, so I run software to restrict thier internet usage by shutting the internet off at 10pm (I dont want to find my son on-line at 2am surfing). Well, the bugger just changed the system time to get around that one.
:rolleyes:
I ended up making them all power users, and only allowing administrators permission to change the system time.
The only problem with that is occationally, one of them wont be able to install a game or driver, or another odd issue will rear its head. Can I "copy" the administator group, rename it(putting the kids into it, and then resticting the "change system time" from them), or am I stuck adding permissions for issues as they pop up?

Basically, should I start with full - removing permissions as needed, or start restricted and add as I go?
 
always start restricted, and ease up as necessary. ESPECIALLY with windows. There are a bazillion loopholes.
 
Its local policy....added the gpo snap-in to the mmc console. Also using the computer management to change user groups.
 
The OP could also use Microsoft Shared Computer Toolkit for Windows XP to help with locking down the accounts.
 
I had'nt seen that, interesting. Although it might be a bit much.....
Warning: The Toolkit is not intended for use on family computers as a parental controls measure — many of the security features may have adverse effects on family computers.
Click to expand...
.nice tool though.
 
Monkey34 said:
I had'nt seen that, interesting. Although it might be a bit much.....

.nice tool though.
Click to expand...

Hmm... Sorry about that. I guess i missed that when i skimmed through the Toolkit Handbook a while back.
 
if you have a spare machine, you can use Linux and run Smoothwall on it. im not sure of all the functionality available on it, but it is nice. some people will say to use clarkconnect, and i will not say it is bad, but im all for free stuff. :)
 
Monkey34 said:
Running WinXP pro here btw.

The only problem with that is occationally, one of them wont be able to install a game or driver, or another odd issue will rear its head. Can I "copy" the administator group, rename it(putting the kids into it, and then resticting the "change system time" from them), or am I stuck adding permissions for issues as they pop up?
Click to expand...

You can use local policy to remove the change system time priviledge from the administrators group, and only allow it for just the local administrator account.
 
You can use local policy to remove the change system time priviledge from the administrators group, and only allow it for just the local administrator account.
Click to expand...
Wouldnt there be a permissions conflict? I thought having a deny in the admin group would not allow access, even tho the local admin had access. edit: unless I'm not a member of that group anymore.............but would I be locking myself out of the system in any way?
 
With user rights in group policy, you only permit. There is no deny, unless it is a denial policy like "deny logon locally".

If you remove the adminsistrators and power users groups from the "Change system time" right, and only specify the administrator account directly, only that account can change the time. Others are not denied the right to change the time, only the administrator is given the right to change it. It is a different model than NTFS permissions.

Of course, they could still shut down and change the time if they have access to the BIOS...
 
It is a different model than NTFS permissions.
Click to expand...
Hm...shoulda realized how I was thinking.
Of course, they could still shut down and change the time if they have access to the BIOS...
Click to expand...
And windows only syncs the time once a week right? I dont think I'll password the bios....It would be too much of a pain to enter the password every time they turn it on.
 
this thing pops up on log on screen as- group policy - and and say incorrect log on . this is on windows basic. have to log in on safe mode to get into pc. i never turn on anything call group policy. how do i get ride of the this logon screen for group policy. my sign on is the lap top is as admin. tried system restore , pc booted up ok log in ass admin . restart later group policy comes back.:mad:

this happen after i install cavalier dsl program ,is the a defect in vista
 
You must log in or register to reply here.
Back
Top