Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

creating two adminstrator accounts, with add'l questions


  • Please log in to reply
11 replies to this topic

#1 onenil

onenil

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 09 July 2016 - 10:28 PM

*SORRY--just realized this should be in another forum. Not sure how to move but checking with admin now.

I would like to create two administrator user profiles, one with complete control and one configured with (at least) two limitations:

1) the inability to move, delete, or otherwise modify executables (or other files, as needed); plan on doing that through making the primary administrator control a given file, and then assigning lesser rights to the secondary administrator.

2) the inability to enter safe mode, modify the registry, or change the time.

I want to give the primary administrator complete rights, so if something happens backup etc. is accessible.

1) First, need to know if it is possible (and won't screw up my system).

2) If it is, can this be done safely, and through group policy?

3) Also, can both users share the same programs, file settings, etc.?

I currrently have Win 10 x64 Home, but am planning to upgrade (the free, fully functional--but nagging) Win 10 Pro to use group policy--it has it, right?

I read that older versions of Windows allowed you to create a "superuser" profile with advanced properties; if I can't do this in Windows 10, would it be advisable to go back to Win 8 (or whatever version supported that feature)?

Thank you!



BC AdBot (Login to Remove)

 


#2 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:05:23 AM

Posted 09 July 2016 - 11:06 PM

All modern versions of Windows allow you to edit the groups that users are in and the control users in a particular group have over various files and directories. It can be dangerous if you don't know what you're doing, however.

(Note: In my following suggestions, I am assuming some things about your level of knowledge in permissions, ACLs, and some of the other nuts and bolts of how Windows works. If something I say confuses you, please let me know. I don't want something to go wrong and you end up with a bricked system.)

1) Yes it can be done. Yes, if you do it right, you won't "screw up your system".

2) It can be done safely if you know what you are doing. I do not believe group policy (gpedit and such) can be used to do it however... the method is more complex than that.

3) As all users on a PC can share the same programs, yes. Program settings? This is a little harder to pull off as different programs use different methods of storing their data. I'm not sure what you mean by "file settings" though.

The best way to get familiar with this sort of thing would be to create a folder to test stuff with. To access the advanced access settings, right click on the folder, select "properties", select the "security" tab, and click the advanced button. This should show a set of ACLs that you can play around with on the folder. Again, I recommend making a folder specifically for testing this so you don't loose anything crucial if you mess up.

The way I see things, you are going to have to edit the ACLs of four programs to deny access to the secondary administrator:

%systemroot%\regedit.exe
%systemroot%\system32\msconfig.exe
%systemroot%\system32\regedt32.exe
%systemroot%\system32\reg.exe

locking these programs in this way will deter the beginner-intermediate user from accessing the registry and boot options. However, locking down the reg* programs can cause certain pieces of software to not function properly. Therefore, the more ideal way to lock down the registry would be to use registry permissions - which are very similar to the file permissions I just had you mess with. It is a little more complicated as you will have to lock down each registry hive or key that you don't want the second administrator to have access to.

In short, yes this can be done but it's going to be pretty complicated.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#3 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 AM

Posted 09 July 2016 - 11:40 PM

As mentioned above it really wasn't designed to go about it that way. There should be only one admin that controls the limited users thereafter.



#4 onenil

onenil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 July 2016 - 12:58 AM

Well here's the story, and it's kind of embarrassing:

 

I'm a full-fledged internet addict. I've tried every solution short of this (and trying to configure DD-WRT, which might work, although a router reboot will prob send back to defaults). I have used internet addons and paid for software, and the root problem is that I'm always able to delete the file that contains the executable (or move it, if system blocking is in effect). I've tried "hiding" software, but it doesn't seem to play nice with the programs I'm trying to use. To the best of my understanding, I am not able to set ACLs so that the "system" or "trustedinstaller" can control the program and limit administrative rights, and thereby remove my administrative rights to delete/move/etc. a program. I've tried using a default user profile and giving the admin password to my friend, but found the limits EXTREMELY constraining.

 

So, short of getting rid of internet entirely (which is my next solution), this was my innovative (lol) idea, to create two administrator profiles, one that is the "master" with everything enabled (which I would password protect and hand over to my friend) and one that would have more limited rights: specifically, to prevent modification of a very few files (but allow read/write), prevent entry into safe mode (if those security settings can be bypassed in safe mode--can they?), and prevent access to regedit and other tools by which I can modify my "protective" settings. 

 

Think of me as needing parental controls on speed. I know just enough to get around settings, but not enough to control/modify them so I can't prevent myself from resetting them.

 

It'd be great if I didn't hear "you need more self-control" or "get a life"; I'm disabled and pretty much housebound, so this is my outlet. On the other hand, getting rid of internet/cable, saving $130 a month, and circumventing the headache of Comcast for a year or so might warrant no email, downloads, and online shopping. Dunno. 

 

Given that the settings that I need to modify are pretty spare, and that I have the Windows 10 spreadsheet outlining all of the modifications, could I start with an administrative profile and "downgrade" it to just remove those entries that I want to remove?

 

Or are you familiar with the Windows 8 "superuser" profile that has been discontinued? Do they encompass what I need, and would it therefore be worth downgrading?

 

Thanks so much for your help--can't tell you what a problem this has become.



#5 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:23 AM

Posted 10 July 2016 - 02:04 AM

Windows 10 pro will have the administrator tools that includes the gpedit (group policy editor) Typically the first user/owner of the machine is apart of the administrator group. By default there is also a built in Guest account and a Administrator account and others for the system. Guest and Administrator are disabled by default with blank passwords. If you use a cd or the windows recovery console and boot into safeboot then you will not get a prompt to login. That is because no password was set for the Administrator account. You can change passwords and enable/disable those accounts in the Computer Management tool that is apart of the administrator tools that comes with pro. The idea is to have a elevated admin that controls the rest of the users that are limited users. You can control allow/disallow anything you desire with gpedit and (secpol) that is apart of gpedit. Most default policies stop limited users from using any admin tools even the CLI & Install/uninstall. Pro is built around being able to setup a kiosk machine for kids or public use so that they are not borking the machine without having those machines going to a full fledged domain controller server. A domain controller server acts similar. If you join the domain it pushes the security policies to your client machine. You literally can control anything you so desire even lock out the start buttons. All they can do is browse the net or be directed to a walled garden web portal like you would see at a public library or something.



#6 onenil

onenil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 10 July 2016 - 04:23 AM

Ick. Well this can either be a long process with a lot of resets or I can try to just unplug. I wonder that there isn't a software program that acts as a wizard for modifying group policy/the registry to customize settings.

 

In any case, thank you all for the info.



#7 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:05:23 AM

Posted 10 July 2016 - 11:06 AM

What are you exactly trying to do? Limit the amount of time you spend on the internet? It is quite simple to configure a filter in your router that blocks all internet traffic from x hour to y hour. You can even create several of those filters if you want to have several small windows when you can access the internet. You can then entrust the router's password to your friend.

Of course, if you want something else entirely, feel free to explain further... just can't figure out what it is you are ultimately trying to accomplish.

I'm a full-fledged internet addict

If this is the root of your problem, have you considered counseling to address it? I understand this may be difficult in your situation, but I believe it may be the most effective in the long run. If you wish to continue with a tech solution, please just let me know :)
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#8 FreeBooter

FreeBooter

  • Members
  • 3,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Turkey - Adana
  • Local time:12:23 PM

Posted 11 July 2016 - 09:02 PM

Windows OS has two group that user accounts can be members of when account created first one is standard user account which makes the Standard user account member of Users group this group has permissions to do non administrative tasks, member of the Users account cannot delete Windows system files or modify Windows system files to do so User Account Control prompts for administrator account name and password without password of any account member of Administrators group Standard user account cannot complete any administrative tasks. The members of Administrators group still use the Windows as a Standard user account and when user account member of the Administrators group want to complete a administrative task the User Account Control prompts to elevate administrative privileges user have. OP have you try all those permissions under Standard user account. Safe Mode can be enter with administrator password without one any user can start Windows with Safe Mode.

Edited by FreeBooter, 11 July 2016 - 09:07 PM.


Share your knowledge. Its a way to achieve immortality.
- Dalai Lama

 

 


#9 onenil

onenil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 11 July 2016 - 09:47 PM

What are you exactly trying to do? Limit the amount of time you spend on the internet? It is quite simple to configure a filter in your router that blocks all internet traffic from x hour to y hour. You can even create several of those filters if you want to have several small windows when you can access the internet. You can then entrust the router's password to your friend.

Of course, if you want something else entirely, feel free to explain further... just can't figure out what it is you are ultimately trying to accomplish.
 

I'm a full-fledged internet addict

If this is the root of your problem, have you considered counseling to address it? I understand this may be difficult in your situation, but I believe it may be the most effective in the long run. If you wish to continue with a tech solution, please just let me know :)

 

I do appreciate that. I think it is, in part, a part of my lifestyle right now: I just don't have responsibilities and it is difficult to get out. So maybe a total unplug is a good idea, at least for the time being. There were some great posts on Reddit that I found and one by a blogger, who said basically "it was the best thing I ever did. Made me go to coffee shops and schedule time for when I really needed to do something."

 

At the current time, I've screwed things up by trying to create user accounts and need to do a fresh install of Windows 10. I think that the program Folder Guard might work on preventing access to Leechblock (a Firefox extension), where it didn't work with Cold Turkey (a program that modified hosts and required .net and some other system properties). I've figured out how to disable Edge and uninstall IE, so it would be the only browser I would have. So going to test this and see whether it works after reconfiguring set up.

 

You've all been great. Therapy might help (I do have ADHD, which can be a problem when you're focused singlehandedly on one thing), but I've looked and there is no one in my large city that takes my insurance and focuses on behavioral addictions. So there's that. I really have to give all of you kudos: you've been so much more helpful and supportive than the sometimes spiteful and dismissive responses I've gotten from some other Windows 10 fora where I've posted this question. I can't imagine that none of the techies who are answering these questions don't have the same problem, so I'm a little bewildered by the arrogance of some people.

 

Thanks so much! Not going to delve into trying to spend days configuring another account and then resetting my computer constantly or figuring out a way to prevent default to settings on resetting the router, it just isn't worth it. If this Leechblock doesn't work 100%, going to take off some computer time and save some $$$. :)



#10 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:05:23 AM

Posted 11 July 2016 - 10:34 PM

Alright, good luck and best wishes :)
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#11 orlbuckeye

orlbuckeye

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Orlando, Florida
  • Local time:05:23 AM

Posted 12 July 2016 - 08:17 AM

Admin rights is a role and you can create as many admin users as  you want.  Being an admin gives you rights to do most things. So basically you can

 

1. Create a group policy with your restrictions 

2. Create a non-admin user

3. If you want this for multiple people create a group

3. Assign the user/group to that group policy.

 

http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/

 

Command prompt for creating accounts

Creates account - net user [username] [password] /add

Gives Admin rights - net localgroup administrators username /add

 

 


  • Alienware 18 Intel Core i7 4810 QM 16GB DDR3
  • 18.4" (1920 x1080) 
  • 1 TB Samsung EVO MSATA SSD 1 TB WD 5400 RPM HD 750 GB WD 5400 RPM HD
  • Nvidia GT 860 GM SLI graphics
  • Windows 10 Pro + Surface Book i5 256gb SSD 8gb RAM DGPU

 


#12 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:05:23 AM

Posted 12 July 2016 - 10:48 AM

@orlbuckeye that wasn't what the OP was asking, and he seems to have found a solution for now.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users