Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Is it possible to self-regulate using OpenDNS?

09 Aug 2015   #1
Michael33

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Is it possible to self-regulate using OpenDNS?

Is it possible to self-regulate internet access using OpenDNS when I'm the sole user of my computer, and would therefore need admin access, and would therefore have access to the DNS settings (defeating the purpose of self-regulation)? I've read in other threads here that it's not possible to restrict certain permissions for anyone with admin status, but could I maybe operate a standard user account? Could I give enough permissions to a standard user account to make it "workable" as a quasi-admin account, while being disallowed to change DNS settings?

It sounds oxymoronic, but thought I would ask.

Thanks,
M33


My System SpecsSystem Spec
.
09 Aug 2015   #2
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Hey M33,

Quote   Quote: Originally Posted by Michael33 View Post
Could I give enough permissions to a standard user account to make it "workable" as a quasi-admin account, while being disallowed to change DNS settings?
No. What you want to do instead is edit the access permissions of the registry key that holds all the DNS settings so that no user can change them.

Which settings in particular are you wanting to lock?
My System SpecsSystem Spec
09 Aug 2015   #3
Michael33

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Quote   Quote: Originally Posted by Pyprohly View Post

No. What you want to do instead is edit the access permissions of the registry key that holds all the DNS settings so that no user can change them.

But as an admin I would still have access/control to/of the registry, which would defeat self-regulation (I could change them back in a moment of weakness). I would either have to enable more permissions for a standard user account for me to use so that I could download/delete programs, etc (if possible), to make life less annoying as a standard user, and then password-protect the admin account (with a password unremembered but accessible) so that I didn't have access to edit the DNS settings...

OR

Possibly utilize the hidden admin? Does the hidden admin have higher level privileges than a regular admin? Can I use the hidden admin to edit the registry, as you mentioned, and then password-protect the hidden admin so a "regular" admin can't access the changes? Or do all admins have access to everything?
My System SpecsSystem Spec
.

09 Aug 2015   #4
LMiller7

Windows 7 Pro 64 bit
 
 

All admin accounts have the same rights and privileges as the built in admin account. The only difference is that it is not subject to UAC. Any restrictions you might impose can be just as easily removed. Also be aware that any admin account can change the password of the built in admin account.
My System SpecsSystem Spec
09 Aug 2015   #5
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Quote   Quote: Originally Posted by Michael33 View Post
But as an admin I would still have access/control to/of the registry, which would defeat self-regulation (I could change them back in a moment of weakness).
Yes, while you will be able to take access back, believe me, you will not know how to, never in a "moment" at least. Having the ability of control is one thing. Knowing how to take control is another.

Quote   Quote: Originally Posted by Michael33 View Post
I would either have to enable more permissions for a standard user account for me to use so that I could download/delete programs, etc (if possible), to make life less annoying as a standard user, and then password-protect the admin account (with a password unremembered but accessible) so that I didn't have access to edit the DNS settings...
To help you stay sane, we will not let you lock yourself out of an administrator account. Using a standard account, exclusively, will perpetually prevent you from installing programs and there's no method to evade that design as far as I know. Take this route and "life" will be annoying.

You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.

Privileges can be taken away from administrator accounts, but privileges cannot be given to standard accounts.

All administrator accounts have equal power. With the built-in Administrator account, all processes run at highest integrity (without UAC prompting, as LMiller7 points out). That's the only observable difference, along with the account being undeletable.

Quote   Quote: Originally Posted by Michael33 View Post
Can I use the hidden admin to edit the registry, as you mentioned, and then password-protect the hidden admin so a "regular" admin can't access the changes?
It doesn't work like that.

Any account can deny any account. You do not have to be in a specific account to restrict a specific account. All can be done from one account.

Quote   Quote: Originally Posted by Michael33 View Post
Or do all admins have access to everything?
No one has access to everything.


Anything you do is a decision on you, but restricting yourself to a standard user is a definite no-go.


... Now, which settings in particular are wanting to lock, Michael?
My System SpecsSystem Spec
09 Aug 2015   #6
Alejandro85

Windows 7 Ultimate x64
 
 

In theory you could change permissions so that standards could write in system areas, but doing so sort-of defeats the purpose of the standard account. Even then, UAC popups can only be satisfied by admin credentials, even if the elevated program uses nothing that really requires an admin account.

Most things can be safely done by using standard accounts. Installing programs can partially be replaced with the so-called "portables" to a certain degree.
The real deal-breaker is the real necessity of an administrator. At some point administrator access is required (more than simply changing DNSs) and you have to have access to such an account from time to time as you suggest. I would try to use the good old method. Find someone else who to trust the admin credential, without telling you, then, when it's really needed ask him to write it in the UAC box


Quote   Quote: Originally Posted by Pyprohly View Post
You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.
This is incorrect. The whole purpose of the existence of the administrators group is to make them "all-powerful" in that they can do anything to the system. As there is no nothing with more privileges than them, save the kernel itself and drivers.
Restrictions can be placed upon admins, but an admin will always have the power to undo those changes, which makes the whole thing more annoying, but ultimately possible.
Could you show what method are you proposing for this?
My System SpecsSystem Spec
09 Aug 2015   #7
Michael33

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

It seems a couple of you are suggesting I can restrict certain admin permissions. Like DNS address-setting permissions? Please be specific.

Pyprohly - which settings am I wanting to lock? You mean other than the DNS address permissions? None. Those are the ones I want to lock.
My System SpecsSystem Spec
09 Aug 2015   #8
Michael33

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
In theory you could change permissions so that standards could write in system areas, but doing so sort-of defeats the purpose of the standard account.....Most things can be safely done by using standard accounts. Installing programs can partially be replaced with the so-called "portables" to a certain degree.

I don't know what "portables" are. Please explain.
My System SpecsSystem Spec
09 Aug 2015   #9
Alejandro85

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Michael33 View Post
I don't know what "portables" are. Please explain.
Portables are programs that run without any kind of formal installation procedure, by just copying the files over to some location and running directly from there. They just store everything they need within that folder and don't touch anything outside it. As they don't touch system areas at all, there is no need of admin permissions to install them at all.

Most programs distribute an installer instead, which needs admin permission to run, due to they writing to key system areas (program files folders and some might dump a registry entry). After that initial installation they run without being admin at all.

Look at wikipedia for example for more details: https://en.wikipedia.org/wiki/Portable_application
My System SpecsSystem Spec
11 Aug 2015   #10
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Quote   Quote: Originally Posted by Alejandro85 View Post
Quote   Quote: Originally Posted by Pyprohly View Post
You suggest that all admin accounts have complete unrestricted access to everything. This is untrue. It's all just default Windows settings. You may go the extra step and strip and suppress all admin accounts of their power, however you may not give that power to standard accounts.
This is incorrect. The whole purpose of the existence of the administrators group is to make them "all-powerful" in that they can do anything to the system. As there is no nothing with more privileges than them, save the kernel itself and drivers.
Restrictions can be placed upon admins, but an admin will always have the power to undo those changes, which makes the whole thing more annoying, but ultimately possible.
Could you show what method are you proposing for this?
Okay, it probably was a stretch saying that all administrator accounts do not have complete unrestricted access to everything. I've emphasised my point a little far. Administrators are 'all-powerful' in that they do have the ability to make any change to the system they wish, you are right. And I would like to highlight that point you make about restrictions on admins,

Quote   Quote: Originally Posted by Alejandro85 View Post
Restrictions can be placed upon admins, but an admin will always have the power to undo those changes
This is exactly the point I would have liked to convey instead. Privileges can be taken away and restrictions can be placed on Administrators, but they will always have the power to regain those privileges or un-restrict themselves (despite any amount of restrictions they have, or privileges they don't), though it can become difficult to do so, to the point where 'all-powerful' becomes questionable.

For instance, no administrator can just jump into System32 and massacre every file immediately. They'd have to first grant themselves the correct permissions. In order to do that they must first take ownership of all the files--which any administrator can do at any time--no matter how badly denied they are to those files. The fact that any administrator can take ownership at will is due to a Windows setting allowing them to do so, by default. Using Group Policy, this privilege can be taken away from them, making it harder to touch those files in System32. Then Group Policy can then be restricted by setting one registry value in Regedit, then Regedit can be blocked by using the Command Prompt to make registry changes instead. And one could even block the Command Prompt by using the Command Prompt itself, after blocking PowerShell of course. (You'd still be able to run commands, but) here would sort of be the 'furthest possible point' away from ever being able to, well, delete all those System32 files. Anyone at this point who could use an administrator account to delete every last file in System32 really deserves a cookie. If you could cheat a bit by booting into another OS to delete that command that edits registry keys (namely Reg.exe), then you'd truly have administrator accounts without their 'all-powerful'-ness, being restricted to at least something, that something being able to delete System32.

It's a real stretch but at this point, using an administrator account on its own could not undo those steps.



Quote   Quote: Originally Posted by Michael33 View Post
Pyprohly - which settings am I wanting to lock? You mean other than the DNS address permissions? None. Those are the ones I want to lock.
Alright then. I'm going to assume you are referring to all the settings shown in the image of step 7 in this tutorial.

I've attached two batch files to this post. One of them will lock the DNS settings, other will unlock them. Both batch files require the SubInACL command which you can get from here.

To use the batch files I've attached:
1. download and install the SubInACL.msi package at that link above,
2. take just the SubInACL.exe command from the location you've installed it to,
3. uninstall the SubInACL package,
4. download one of the batch files in this post,
5. place that batch file in the same folder as the SubInACL.exe command,
6. run the batch file, then delete both the batch file and the SubInACL.exe command.

Yes, to promote your self-regulation, M33, these steps are purposely lengthy. Oh, and the commands that the batch files execute are mostly encoded, so you'll not know what registry keys are being edited in order to lock the DNS settings.

When ever you need to unlock the DNS settings, all you have to do is locate this thread and follow those steps.



Edit: faulty scripts removed.
My System SpecsSystem Spec
Reply

 Is it possible to self-regulate using OpenDNS?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Cisco to buy OpenDNS
Cisco to buy OpenDNS for $635 million to boost security business | Reuters
News
Opendns will not work.
Hi everyone out there, I am attempting to use open dns. I have followed the directions to the letter for making it work with my router: https://store.opendns.com/familyshield/setup/device/dlink-dir-655 I have done everything it stated, cleared all cahces etc and it will not work. The testing...
Network & Sharing
Opendns or not?
Is it a good idea to run opendns or a bad one? I use WildBlue through, Dish. Thanks! :)
Network & Sharing
Will OpenDNS Really Speed Up My Internet?
I'd never heard of this but read about it on another forum. Will this really speed up my internet? I have a TWC Road Runner cable modem, a Linksys wireless router which I use wired, and I use a static IP address because I have port-forwarding. Thanks!
Network & Sharing
OpenDNS + PS3
Hey Guys, I was having some previous problems with my computer and websites and I decided to use OpenDNS (the free service with their two IP addresses), all the websites are working fine now, but for some reason I'm having issues playing games online with my PS3, it signs into the Playstation...
Chillout Room
WHS - Power Pack 3 and OpenDNS
More...
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:06.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App