Setting up a multiple user environment & XP administration in gene

[ralliart12]

Hi fellows. I came from a SINGLE-user environment background & it is my 1st
time setting up a multiple-user account WinXP systems. I've a couple of qns
which I hope u fellows can enlighten me:

1. During the initial stage of WinxP setup, I was mandated to input a
password for the "Administrator" account & in addition, during the last
stage, I was(again) required to input a list of 1-5 names of users who will
be using the system. I start with ONE account 1st; I named it "root".

My qn is: there's now an "Administrator" account AND a "root" account within
my system. Since at the moment there's only me one user, why winxp do NOT
STREAMLINE both accounts into one as even "root" account has admin-level
rights?

In other words, during the last stage of setup does winXP always assume if
only one user name's entered, it is NOT THE Administrator? Is that by design?
Then why do they still equip that one user name/account with admin level
rights? This is more of a curious theory qn...

2. Now that I've a "root" account. I need to setup 2 more child accounts for
my parents. I to to go for a "restrict-ALL-but" approach, meaning they'll
will be DENIED all applications, changes, etc unless I EXPLICITLY allowed
their account to do so. For one account, he can ONLY open Excel documents &
print them. For the other, can ONLY surf intenet using firefox. ALL OTHER
applications & actions/modifications MUST be denied.

Okay, may I know a guide/tutorial or two that TEACHES me the correct way to
accomplish all that above. I googled around, & the more prominent method
involved was asking me to append a registry key, like Disallowrun then add
apps on an app-by-app basis, I suppose that isn't very "politcally correct"
but I'll prefer a more professional approach like setting up group policies,
etc?

Prefer an illustrated guide towards this kind of XP user account
administration in general. Perhaps somebody can help me here?

I'm not only interested in just restricting apps, but in the future I may
need to assign user rights to specific files, hence I'm keen to learn the
"politically correct" APPROACH(& not merely setting up 2 limited user
accounts).

Pls assist me, the newbie here.

 

[Malke]

ralliart12 wrote:

Comments inline (with snippage)

Hi fellows. I came from a SINGLE-user environment background & it is my 1st
time setting up a multiple-user account WinXP systems. I've a couple of qns
which I hope u fellows can enlighten me:

1. During the initial stage of WinxP setup, I was mandated to input a
password for the "Administrator" account & in addition, during the last
stage, I was(again) required to input a list of 1-5 names of users who will
be using the system. I start with ONE account 1st; I named it "root".

My qn is: there's now an "Administrator" account AND a "root" account within
my system. Since at the moment there's only me one user, why winxp do NOT
STREAMLINE both accounts into one as even "root" account has admin-level
rights?

No, you have a misunderstanding about multi-user operating systems. See
the explanation below.

XP is a multi-user operating system, no matter if only one person is
using it. In all multi-user operating systems - NT, Win2k, XP, Unix,
Linux, Mac OSX - there is the one built-in account that is "god" on the
system. In Windows terminology, that is "Administrator". In the *nix
world, it is "root". This is a necessary account and is not normally
used in everyday work. You cannot delete the built-in Administrator
account nor would you ever want to.

Here is the explanation of what you really have:

My Computer - represents your entire computer, showing drives and shared
folders. Shared Folders are folders where you can put files you wish to
share with other users on the system. You don't need to use these
folders if you don't want to, but leave them alone!

[some name] C:\ - your first hard drive, usually the system drive.

Document and Settings - The "container" for all user settings. Each user
will have [username] Documents, Music, Videos, My Pictures.

Administrator - Built-in account - Leave alone! Do not use! Do not worry
about it!

All Users - Section where items common to all users go. In a multi-user
operating system, users have separate accounts. This is the place where
if you want to share files with all the other users on the system you
would put those files. You don't ever have to use those folders but they
need to be there. This is where programs you install that are meant to
be installed for all users put settings. All the "Shared Documents" type
of folders you see at the root of C:\ are shortcuts to the shared
folders in here. Leave them alone!

Default Users - This is the template from which new user accounts are
made. You will never put anything in any of those folders but they are
needed to create new users. In Linux we use "skel" ("skeleton" - get
it?). In Windows, the less-colorful term "Default User" is used. Leave
it alone!

[OEM] Administrator or Owner - This is the generic user created by the
OEM when installing the operating system. After all, the OEM doesn't
know who is going to buy the computer. If you aren't using this OEM user
account, you can delete it from the User Accounts applet in Control
Panel. It is not the same account as "Administrator".

2. Now that I've a "root" account. I need to setup 2 more child accounts for
my parents. I to to go for a "restrict-ALL-but" approach, meaning they'll
will be DENIED all applications, changes, etc unless I EXPLICITLY allowed
their account to do so. For one account, he can ONLY open Excel documents &
print them. For the other, can ONLY surf intenet using firefox. ALL OTHER
applications & actions/modifications MUST be denied.

See below for general user account security:

Make other users Limited accounts in XP Home, regular user accounts in
XP Pro.

a. If you have XP Pro, you can set user permissions/restrictions with
Group Policy (Start>Run>gpedit.msc [enter]) but be careful. Using the
Policy Editor can be tricksy. Questions about Group Policy should be
posted in its newsgroup: microsoft.public.windows.group_policy.

b. If you have XP Home, you can use MVP Doug Knox's Security Console or
the MS Steady State.

http://www.dougknox.com
Steady State -
http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

You may also wish to look over some of the information for staying safe
online at the following links and share the sites with your parents:

http://www.wilderssecurity.com/showthread.php?t=27971 - So How Did I Get
Infected Anyway?
http://www.getsafeonline.org/
https://www.mysecurecyberspace.com/
http://www.getnetwise.org/
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://www.claymania.com/safe-hex.html
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://msmvps.com/blogs/harrywaldron/archive/2006/02/05/82584.aspx - MVP
Harry Waldron - The Family PC - How to stay safe on the Internet
http://www.spywarewarrior.com/rogue_anti-spyware.htm - Eric Howes on
Rogue Antispyware Programs


Malke

 

[Niniel]

There are those who think that you should disable the built-in Admin account
for security reasons, I think it's because it is suspected that there are
standard passwords for that account that work on every machine.
Then just leave your "root" account as admin, and set up limited accounts
for the other users. Those limited accounts can then be added to other user
groups - which you will have to create - besides "users". Actually, if you
succeed in creating a group that can only run Excel and print, you should
remove that account from the "users" group because as long as it's a member
of that group it'll be able to do everything that group is allowed to do.
I recommend to never mess with permissions for individual users though, but
to create groups and add the users to them as necessary.
At least that's how it should be done in Pro, not sure if the Home version
lets you do that.
Oh, and for FF, make sure to install NoScript.

 

[ralliart12]

Hi Malke, many thanx for your thorough elaboration. It'll assist my
understanding of the structure behind the scenes.

& hi Niniel, from what I used to learn(but maybe I've forgotten) from Win2k
period, if an user is a memeber of 2 groups with regards to more than 1 set
of NTFS's permission applicable to it, windows will default it to the more
restrictive set of permissions, the play-safe concept...it doesn't apply in
XP?

Btw guys I've done further searching upon the expertzone communities & it
seems there're 2 more correct approach: group policies, or steadystate.

I'm gonna use SteadyState instead of the limited user account type approach.
SS seems more professional.

Thanx fellows!

 

[Bruce Chambers]

& hi Niniel, from what I used to learn(but maybe I've forgotten) from Win2k
period, if an user is a memeber of 2 groups with regards to more than 1 set
of NTFS's permission applicable to it, windows will default it to the more
restrictive set of permissions, the play-safe concept...it doesn't apply in
XP?

Actually, what happens is that WinXP, just like Win2K and WinNT before
it, applies the more restrictive of the NTFS *file* or the assigned
*Share* permissions for any given resource. If both permission sets are
the same, the the more "powerful" group membership's
permissions/privileges apply. (This is why the default permission on
any newly created Share is to give Everyone "Full Control." Then only
the NTFS permissions would apply.)

The one thing to be especially careful about is the use of the "Deny"
'permission.' This pretty much trumps everything; I've seen people lock
out all administrative accounts by assigning "Deny" only to the "Users"
group, not realizing that administrators are also, by default, members
of this group.



--

Bruce Chambers

Help us help you:


They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot