Securing User Account Manipulation

  • Thread starter Thread starter PsyB
  • Start date Start date
P

PsyB

I have been wandering through Group Policy on WinXP Pro trying to
discover how to limit which users are allowed to manipulate other user
accounts. In the situation I am trying to remedy I have a total of 5
users accounts. One is the default administrator (renamed) which is only
used by me when I am preforming maintenance on the system roughly once
every month or two. The other four accounts consist of two
administrators and two limited users. For the sake of example I will
call them GoodAdmin, BadAdmin, GoodKid, BadKid.

The Problem: While GoodAdmin always logs off when she walks away from
the computer, BadAdmin tends to walk away without logging off. GoodKid
sees this and logs off, but BadKid sees this and bumps his privileges up
to Administrator so that he can install programs which are usually
plagued with Spy/Malware. GoodAdmin understands the problem, BadAdmin
doesn't.

The Solution: Create a policy that allows Administrator (me) and
GoodAdmin to manipulate other user accounts and specifically denies the
ability to BadAdmin. What is the policy that I would edit to do such a
thing? As the computer is owned by both GoodAdmin and BadAdmin, I don't
want to limit BadAdmin too extremely, but not being able to modify other
users is beyond the scope of what he would want to do. GoodAdmin really
wants to keep BadKid from bumping his privileges, though.

Any ideas?
 
PsyB since you reply to everyone's posts, I won't go into too much technical
detail since you are obviously an expert.

Create a batch file:
run "find" command with this command as input "net localgroup administrators"
If find detects presence of BADKID, run these commands:
net localgroup administrators /delete BADKID
shutdown /l
You might want to preface these commands with @ECHO OFF.
Put this in BADKID's profile under startup.
You may need to create a PIF to ensure the command window closes.
Modify NTFS permissions on the file(s) so that BADKID is denied modify rights.
So, whenever BADKID logs on, it checks to see if he is an administrator. If
he is, his administrator rights are removed, then he gets logged off.
When he logs back on, he will be a restricted user as desired.

Now, this isn't the policy setting you were looking for, but it is funnier.

Good Luck.
 
I almost ignored your flippant post ;) but decided to have another look
at what you had said.

*Thanks!* *Great idea!* And indeed it is a great way to limit his
account. I came up with this:

@echo off

rem ##Ode to Joe v1.0##

net localgroup administrators | find /i /c "badkid"

if %errorlevel% NEQ 1 (
net localgroup administrators /delete BADKID
shutdown -l
) else (
exit
)

I will set the perms to allow only my account full access, remove all
other accounts save Badkid with read & execute perms. Thanks for
pointing out using bat files, I had almost forgotten they existed. If it
wasn't for the disruption to their other computers on the network, I
would have used shutdown -r -c "You are not authorized to be an
administrator", but figure this will suffice.

-=[PsyB]=-
 
Plus, it's fun.

PsyB said:
I almost ignored your flippant post ;) but decided to have another look
at what you had said.

*Thanks!* *Great idea!* And indeed it is a great way to limit his
account. I came up with this:

@echo off

rem ##Ode to Joe v1.0##

net localgroup administrators | find /i /c "badkid"

if %errorlevel% NEQ 1 (
net localgroup administrators /delete BADKID
shutdown -l
) else (
exit
)

I will set the perms to allow only my account full access, remove all
other accounts save Badkid with read & execute perms. Thanks for
pointing out using bat files, I had almost forgotten they existed. If it
wasn't for the disruption to their other computers on the network, I
would have used shutdown -r -c "You are not authorized to be an
administrator", but figure this will suffice.

-=[PsyB]=-
PsyB since you reply to everyone's posts, I won't go into too much technical
detail since you are obviously an expert.

Create a batch file:
run "find" command with this command as input "net localgroup administrators"
If find detects presence of BADKID, run these commands:
net localgroup administrators /delete BADKID
shutdown /l
You might want to preface these commands with @ECHO OFF.
Put this in BADKID's profile under startup.
You may need to create a PIF to ensure the command window closes.
Modify NTFS permissions on the file(s) so that BADKID is denied modify rights.
So, whenever BADKID logs on, it checks to see if he is an administrator. If
he is, his administrator rights are removed, then he gets logged off.
When he logs back on, he will be a restricted user as desired.

Now, this isn't the policy setting you were looking for, but it is funnier.

Good Luck.

:
Click to expand...
Click to expand...
 
I will also point out, that if badkid gets smart, he could probably add his
own batch file with shutdown -a, though. So perhaps you could also configure
the batch file to be hidden and ensure that his folder options do not allow
him to view hidden files. that way he will never know.

PsyB said:
I almost ignored your flippant post ;) but decided to have another look
at what you had said.

*Thanks!* *Great idea!* And indeed it is a great way to limit his
account. I came up with this:

@echo off

rem ##Ode to Joe v1.0##

net localgroup administrators | find /i /c "badkid"

if %errorlevel% NEQ 1 (
net localgroup administrators /delete BADKID
shutdown -l
) else (
exit
)

I will set the perms to allow only my account full access, remove all
other accounts save Badkid with read & execute perms. Thanks for
pointing out using bat files, I had almost forgotten they existed. If it
wasn't for the disruption to their other computers on the network, I
would have used shutdown -r -c "You are not authorized to be an
administrator", but figure this will suffice.

-=[PsyB]=-
PsyB since you reply to everyone's posts, I won't go into too much technical
detail since you are obviously an expert.

Create a batch file:
run "find" command with this command as input "net localgroup administrators"
If find detects presence of BADKID, run these commands:
net localgroup administrators /delete BADKID
shutdown /l
You might want to preface these commands with @ECHO OFF.
Put this in BADKID's profile under startup.
You may need to create a PIF to ensure the command window closes.
Modify NTFS permissions on the file(s) so that BADKID is denied modify rights.
So, whenever BADKID logs on, it checks to see if he is an administrator. If
he is, his administrator rights are removed, then he gets logged off.
When he logs back on, he will be a restricted user as desired.

Now, this isn't the policy setting you were looking for, but it is funnier.

Good Luck.

:
Click to expand...
Click to expand...
 
Very :) And is now working like a charm - For paranoia sake I will
probably throw a script in BadAdmin to do effectively the same thing
when BadAdmin logs out :)

-=[PsyB]=-

Greater in battle than the man who would conquer a thousand-thousand men
is he who would conquer just one - *himself*.

--Dhammapada--
Plus, it's fun.

:

I almost ignored your flippant post ;) but decided to have another look
at what you had said.

*Thanks!* *Great idea!* And indeed it is a great way to limit his
account. I came up with this:

@echo off

rem ##Ode to Joe v1.0##

net localgroup administrators | find /i /c "badkid"

if %errorlevel% NEQ 1 (
net localgroup administrators /delete BADKID
shutdown -l
) else (
exit
)

I will set the perms to allow only my account full access, remove all
other accounts save Badkid with read & execute perms. Thanks for
pointing out using bat files, I had almost forgotten they existed. If it
wasn't for the disruption to their other computers on the network, I
would have used shutdown -r -c "You are not authorized to be an
administrator", but figure this will suffice.

-=[PsyB]=-
PsyB since you reply to everyone's posts, I won't go into too much technical
detail since you are obviously an expert.

Create a batch file:
run "find" command with this command as input "net localgroup administrators"
If find detects presence of BADKID, run these commands:
net localgroup administrators /delete BADKID
shutdown /l
You might want to preface these commands with @ECHO OFF.
Put this in BADKID's profile under startup.
You may need to create a PIF to ensure the command window closes.
Modify NTFS permissions on the file(s) so that BADKID is denied modify rights.
So, whenever BADKID logs on, it checks to see if he is an administrator. If
he is, his administrator rights are removed, then he gets logged off.
When he logs back on, he will be a restricted user as desired.

Now, this isn't the policy setting you were looking for, but it is funnier.

Good Luck.

:



I have been wandering through Group Policy on WinXP Pro trying to
discover how to limit which users are allowed to manipulate other user
accounts. In the situation I am trying to remedy I have a total of 5
users accounts. One is the default administrator (renamed) which is only
used by me when I am preforming maintenance on the system roughly once
every month or two. The other four accounts consist of two
administrators and two limited users. For the sake of example I will
call them GoodAdmin, BadAdmin, GoodKid, BadKid.

The Problem: While GoodAdmin always logs off when she walks away from
the computer, BadAdmin tends to walk away without logging off. GoodKid
sees this and logs off, but BadKid sees this and bumps his privileges up
to Administrator so that he can install programs which are usually
plagued with Spy/Malware. GoodAdmin understands the problem, BadAdmin
doesn't.

The Solution: Create a policy that allows Administrator (me) and
GoodAdmin to manipulate other user accounts and specifically denies the
ability to BadAdmin. What is the policy that I would edit to do such a
thing? As the computer is owned by both GoodAdmin and BadAdmin, I don't
want to limit BadAdmin too extremely, but not being able to modify other
users is beyond the scope of what he would want to do. GoodAdmin really
wants to keep BadKid from bumping his privileges, though.

Any ideas?
Click to expand...
Click to expand...
Click to expand...
 
Hello, I have read through this thread and I kind of, I think, know how to do
this based on what you gentelmen have posted. I have given mother admin
rights and my two daughters limited accounts. But I feel mom is going to walk
away signed in as admin, allowing older daughter to go in and change her
account type. This I do not want to happen!!

Now to create a batch file, I can just open notepad and paste the commands
posted in the forums there. Replacing | find /i /c "badkid" with | find /i /c
"older daughter" and saving it as a .bat file. Is this correct? Then, I just
drop this file into "older daughters" profile in her start-up folder?

Is there any way one of you gentelmen would be kind enough to email the
scripts you've made to me with a little explanation of what to modify to get
it to check "older daughters" rights. I would also like her to be able to
read & execute as well.

I just had to do a complete OS reload on their PC because "older daughter
did just that. And to beat all, she made my account limited...lol...not
funny. But of course she asked me to fix it for her. Which I have and I've
loaded all kinds of spyware detection tools (SpyBot, AdAware SE Personal, &
Pest Patrol) as well.

Please Help Me!!
 
Dad:

Your understanding of the script modification is more than adequate. PsyB
provided a functional script. As you have indicated, username "bad kid vs.
older daughter" must be swapped. You may also, given your previous
experience, want to add another "result" command that ensures that your user
account remains an administrator. "net localgroup administrators /add Dad"
And, I suggest that you play around with the script and thus gain a better
understanding of all of the commands involved. Also, when posting, just
reply on the "Notify me of replies" option rather than posting your email
address. It is much more convenient for all parties.
1. I do not have to access my email account
2. You get a direct notification of replies to your post, in addition to
viewing any additional notes that were made to the thread.
3. Members of the user community can follow the discussion from problem to
resolution, rather than privately taking the situation offline.

Good luck

Joe
 
Joe,

Thank you for replying so quickly! My "Older daughter" has been pressing me
to get this done and I've been making up excuses as to why it wasn't
yet....lol. But this confirms my questions and I'm going to give it a try. I
will mess around with the script and post my results here as you have. This
only seems fair and may help another frustrated father. Thanks again!!

Oh, and I'm sorry about all the extra posts. When I tried to post my email
info, it didn't seem to work. I just kept getting a "page cannot be
displayed" error. And thanks for clearing-up the email posting thing for me.
I wish there was a way to edit or delete the extra/non-neccessary posts.

Take care
 
Hi again Joe,

I've tried that script and it works great!! It is saying something in the
DOS/Command Prompt window about incorrect parameters with the "find" command
though. But other than that, it works flawlessly. You guy's are genius!

My concern now is, is that when I make it a hidden file, it doesn't work.
Why? And are the any links you could provide me with that will help me in
understanding all or most of the commands, as you wrote in your reply?

My only experience in doing this so far, is with modifiying game scripts.
That is how I knew about the batch file stuff......lol......I know, I have a
long way to go. But I would like to learn more about this kind of stuff. Any
suggestions?

Thanks again for your help!!
 
Back
Top