Standard Users Privileges

Hello,

There is no good and easy solution for you.

The problem is that the vast majority of software installations require
administrator access because they install for all users of the computer.

Software that only installs for the current user won't need admin power,
and so standard users can install these, but most software won't give
you the option to do this.

It is up to the individual software to allow standard users to install
them - Windows has no control over this.

I'm afraid the best solution is for your son to bother you, the
administrator, when he wants to install something that needs permission.

--
- JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

JB,

You are right, there is not good and easy solution for me.

I would be able to do this if i setup a Windows 2003 or 2008 server with
Active Directory, right?

What about third party add-ons?

Won't Microsoft address this issue in the future? There are times when my
son needs to install some software for school in the afternoon, while i'm a
work, in order to do an assignment.

Hey, could I used Microsoft's SharedView to install the software for him?

Thanks for your helpful reply!

--
Sam M.
Software Quality Assurance (SQA) Engineer


"Jimmy Brush" wrote:

> Hello,
>
> There is no good and easy solution for you.
>
> The problem is that the vast majority of software installations require
> administrator access because they install for all users of the computer.
>
> Software that only installs for the current user won't need admin power,
> and so standard users can install these, but most software won't give
> you the option to do this.
>
> It is up to the individual software to allow standard users to install
> them - Windows has no control over this.
>
> I'm afraid the best solution is for your son to bother you, the
> administrator, when he wants to install something that needs permission.
>
> --
> - JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ - http://www.jimmah.com/vista/
>

Sam wrote:
> JB,
>
> You are right, there is not good and easy solution for me.
>
> I would be able to do this if i setup a Windows 2003 or 2008 server with
> Active Directory, right?

No. In all cases, an administrator must authorize a program to be
installed, whether it is by actually installing the program him/herself,
or by preauthorizing it to be installed.

(And no, you can't just preauthorize "any program", as far as i know).

> What about third party add-ons?

What you are wanting is to allow certain programs to be able to run "as
administrator" by standard users, without asking for a password.

But you want to be able to control which programs the standard user can
use this on.

This is not really supported in Windows, and I am not aware of any
program that allows this, taking into account that you won't know the
program name in advance.

The reason is for security: Once the standard user can run
administrative programs, they're not really a standard user anymore.

> Won't Microsoft address this issue in the future? There are times when my
> son needs to install some software for school in the afternoon, while i'm a
> work, in order to do an assignment.

Unfortunately, this is really something that the people who make
software have to address, it can't be fixed by Microsoft.

Microsoft allows software developers to install software for a single
user and not require admin powers. They simply do not do it, for
whatever reason.

> Hey, could I used Microsoft's SharedView to install the software for him?

No.

> Thanks for your helpful reply!
>

You're welcome.

I will offer a possible solution.

Note that this solution (and really any solution to this particular
problem) results in giving your son administrator power, and just hiding
the features that you do not want him to use. It doesn't really stop him
from doing anything, it just makes it more difficult.

(I imagine this is the reason that Microsoft depreciated power users ...
Power users are really administrators that pretend to not have full
power. This is just pretend though; it is trivial to go from a power
user account to an administrator account.)

Anyway, you mentioned that the power users solution worked for you,
except that he could still access parental controls, and change other
people's passwords.

A solution here is to remove access to the user accounts control panel.

- Click start
- Type: mmc.exe
- press enter
- Click file -> add/remove snap-in
- Click on "Group policy object editor"
- Click add
- click the browse button
- click the users tab
- select your son's username
- click OK, finish, ok
- in the left, expand Local Computer, User Configuration, Administrative
Templates
- Click on Control Panel
- double-click Hide specified control panel options
- click enabled
- click show
- click add
- type: user accounts
- click ok
- click add
- type: parental controls
- click ok
- click add
- type: set up parental controls for any user
- click ok, ok, ok

This will prevent him from managing parental controls and other user
accounts from the control panel.

Note that he can still change passwords by pressing ctrl-alt-delete. To
prevent that, there is an option to 'remove change password' under
Administrative Templates -> System -> Ctrl + Alt + Delete options.

(You might want to browse through these settings, there are all sorts of
neat things you can customize)

As you may have guessed, this will also hide the tool he uses to change
his own password.

You've got to make a choice: allow him to change his own password on
demand at the risk of him easily changing other user account passwords,
or make him tell you when he wants to change his password.

If you do the latter, you can allow him to change his password when he
asks you by doing this:

- Click start
- right-click computer
- click manage
- expand local users and groups
- click users
- right-click his account and click properties
- uncheck password never expires
- check user must change password on next logon

Once he's changed his password, you can re-check password never expires.

As I mentioned before about just hiding stuff and not really preventing
anything, he can use the 'net' command-line utility to change other
peoples passwords, and theres no easy way to prevent this, short of
keeping him from opening a command prompt.

--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

Sam wrote:
> Hey, could I used Microsoft's SharedView to install the software for him?

Heh, spoke too soon... if you are available at work while he is at the
computer and online, yes.

You could also have him send you a remote assistance request, which will
allow you to take over his screen.

or, install a free third-party remote access solution such as www.uvnc.com.


--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/

JB,

I really loved the solution that you provided for me in your previous post!
I think that hiding the Control Panel items will work.

This solution will work at least until he figures out how to use the 'net"
command-line utility, and he probably will, or until he runs the
manufacture's image restore utility and makes himself the administrator and
me a standard user, and he probably will LOL.

Thanks for the Microsoft SharedView update.
I am glad that that will solution will work also.

--
Sam M.
Software Quality Assurance (SQA) Engineer


"Jimmy Brush" wrote:

> Sam wrote:
> > Hey, could I used Microsoft's SharedView to install the software for him?
>
> Heh, spoke too soon... if you are available at work while he is at the
> computer and online, yes.
>
> You could also have him send you a remote assistance request, which will
> allow you to take over his screen.
>
> or, install a free third-party remote access solution such as www.uvnc.com.
>
>
> --
> -JB
> Microsoft MVP - Windows Shell/User
> Windows Vista Support FAQ - http://www.jimmah.com/vista/
>

Well,

Looks like I'm gonna have to eat some crow on this one.

Turns out I was wrong.

You can allow standard users to install any program they want - as long
as it uses a certain type of installer (MSI).

I believe the majority of installers use MSI, but that doesn't mean that
a certain program that your son might try to install won't use this
install method, so this may not be a perfect solution for you.

But it is easy and more secure than my other solution (although the
caveat still stands that this is just "hiding" - a crafty person can
take advantage of this privilege to turn their account into a full-blown
administrator account).

If you want to try this out, you can remove your son's membership from
the power users group, remove the blocks you added before for the user
accounts control panel (so he can change his password), and then set up
these settings:

- Click start
- Type: mmc.exe
- press enter
- Click file -> add/remove snap-in
- Click on "Group policy object editor"
- Click add
- click finish (to accept the default of local computer)
- click ok
- in the left, expand Local Computer Policy, COMPUTER Configuration,
Administrative Templates, Windows Components
- Click on Windows Installer
- double-click Always install with elevated privileges
- click enabled
- click ok
- Click file -> add/remove snap-in
- Click on "Group policy object editor"
- Click add
- click the browse button
- click the users tab
- select your son's username
- click OK, finish, ok
- in the left, expand Local Computer\YOUR SON'S USERNAME, USER
Configuration, Administrative Templates, Windows Components
- Click on Windows Installer
- double-click Always install with elevated privileges
- click enabled
- click ok


--
-JB
Microsoft MVP - Windows Shell/User
Windows Vista Support FAQ - http://www.jimmah.com/vista/