Create a highly resticted user 2

[timesign]

Hi,
I would like to create a user account that is highly restricted. To be more specific, users should be able to use one program, notepad, save to an external drive (flash or floppy), and shut down. No start menu, no browsing, nothing else!
Any suggestions as to where there might be resources on how to do this? I don't expect I will recognize what each one of the permissions is supposed to allow.......

thanks

 

[aftertaf]

I have a similar case at work.......

Needed high restrictions and what we ended up doing is stopping the explorer from running at all, no desktop, no start menu.
remember windows 3.1? Program manager?
type progman in cmd ... it still exists in NT5.0/1

ill look up what we did to make this happen and get back 2 you.


Aftertaf (david)
MCSA 2003

 

[aftertaf]

GOT IT:
in system32, there is file called userinit.exe
This file is responsible for running the explorer as a shell (which gives you the desktop, start menu etc.)
it is called automatically after logon
To change this we modified the registry to use a substituted file called userinit.cmd that we placed also in system32
with regedit goto:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

there is a string called Userinit, its value is c:\WINNT\system32\userinit.exe.
change it to the script userinit.cmd and you're halfway there.

@echo off
set short_user=%username:~0,4%
if not %short_user%==Prod goto Admin
%systemroot%\system32\progman.exe
goto End
:Admin
Call %systemroot%\system32\userinit.exe
:End
Exit

This affects all users logging on with an account beginning with prod (line 3).
Change the script according to your rules.
They have progman run instead of userinit.exe, so no desktop.
All they can do is access the shortcuts we created in progman: 2 applications and a logout icon which runs a script: %systemroot%\logoff.exe /n

To make user incapable of changing or adding anything to progman, we hid the file menu:

"EditLevel"=dword:00000004
"NoClose"=dword:00000001
"NoFileMenu"=dword:00000001
"NoRun"=dword:00000001
"NoSaveSettings"=dword:00000001
"Restrictions"=dword:00000001

Explorer can still run if when in notepad or other appli, with Save As dialog, you right click on a disk and explore it. We use GPO to disable explorer's default context menu.

-Disable W.Explorer's default context menu - Activate this policy

and you have a locked down system
make sure you set up your userinit.cmd script to allow someone to have explorer shell, otherwise pc is locked for everyone!!!!!

Aftertaf (david)
MCSA 2003

 

[timesign]

Thanks for you help David.

The userinit.cmd works great,

If you have a moment....

I changed Program manger restrictions in the reg, but they do not seem to be having any affect. – tried setting it for default user as well as two other long string names under hkey-users.

Under group policy object (which I can not seem to find how to get into again) I was only able to set it for "users" and that affects the admin (although I can live with that).

Thanks again.

 

[aftertaf]

The GPO setting is applied to admins too, yes!!
but as an admin you can open local GPO and turn it off

When you run as a locked-down user.. progman is launching, right?

but what options do you have on the menu bar?

File Options window ?

normally file is supposed to disappear!

and in Options a lot is grayed out...

are some being applied??
when you change the settings as admin, and when you then log on and log off as user, are the registry setting being written over?


I think that we accessed the user's registry while logged as admin, by using the runas command with the /profile switch

Open regedit, then do this in command prompt
RUNAS /profile /user:yourPC\user1 cmd...

refresh regedit and you see a new section concerning the user
That way the profile was loaded into the registry.
Then we:
- changed the registry settings for this user,
- renamed the folder Default User and created a new, empty folder,
- copied the user's folder in docs & settings to this new Default user...
- deleted the user profile from the PC.

i remember that this part did our heads in for a whole afternoon!!!

Try that.
i hope my memory serves me well....
if not i'll call the guy that helped me on this.
David

Aftertaf (david)
MCSA 2003

 

[aftertaf]

Under group policy object (which I can not seem to find how to get into again)

LOL

type mmc in the command prompt, you can open a new console and access it that way.... Then save your console to the admin desktop

Aftertaf (david)
MCSA 2003

 

[timesign]

David,
You really seem to know your stuff.
I seem to be able to complete the lockdown using gpo alone and the user will be limited to the two programs.

the only thing left is not to lock out the admin ;-)
where is the key to say that the gpo should not be applied to the admin?

sorry - I am behind the times in admin / group policies;-)
thanks again

 

[aftertaf]

If it's a GPO, you can change the permissions and deny the 'Apply policy' to domain admins group,



if its a local machine policy, you can't filter (at least, i dont know how)...


Aftertaf (david)
MCSA 2003