Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Custom User Restrictions(ideally Admin rights -new account creation)

24 Jun 2016   #1
Gargtholomew

Win7 ult x64
 
 
Custom User Restrictions(ideally Admin rights -new account creation)

Just wondering is it is possible to leave admin status on a user account while removing the ability to make new accounts. Alternatively could one make a standard account have admin style(ie. altering files, running files as an admin/in admin mode, etc.) rights except the creation of new accounts? Just wondering if that is possible in Windows vanilla or with other software.

If this is answered elsewhere please just post link.

Thank you very much for your time.


My System SpecsSystem Spec
.
24 Jun 2016   #2
Alejandro85

Windows 7 Ultimate x64
 
 

It's not possible.

Administrator account are, by design, capable of doing anything, that's the idea of having them in the first place. There are a few ways of imposing restrictions on admin accounts, but being an admin means that the user can simply lift them himself.

The alternative you propose is quite possible, within the limits of normal user accounts. Any account can manage the files within his own profile at will, and change all his personal settings, but nothing else. To perform admin-only tasks, he can use UAC to elevate, where he must provide an admin user/password to gain his privileges temporarily (to be true, it's the admin who actually do that, but within a standard user session, this being the scenario where UAC shines).

What's your idea about this? What do you want to achieve?
My System SpecsSystem Spec
26 Jun 2016   #3
Gargtholomew

Win7 ult x64
 
 

I thank you for your response and information. I am trying to prevent my son from getting around the windows family safety monitoring software by making a new profile on his computer but I would like him to retain most other admin rights since other then porn he's a good kid. From what I have read it seems windows family monitoring is a well rounded choice, it just seems to have its limits and I was hoping to work around them. I would not like to have to use UAC all the time for him to have "normal" use of his computer.

Also perhaps yourself or someone else knows if this is possible under window 10? Not sure if the family monitoring is better for it or not.

Perhaps I am missing an even better option that you know of anyway.

Thank you again for your time in this matter.
My System SpecsSystem Spec
.

26 Jun 2016   #4
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

You could consider VoodooShield (Pro) if you want him to retain admin rights. It's possible to password protect the application and set it to "Autopilot Mode" - makes all decisions automatically on which files and command lines are allowed to run. Configuration might be an issue for new users.

Note: AutoPilot Mode may only be available in Beta version. The product is undergoing constant improvement and development and new features are added once they have proved to be stable. Also I personally use the Pro (paid for) version and currently have a beta version installed.

Basically after some initial configuration if any new non whitelisted executable attempts to launch or any non whitelisted command line you get a pop up like this:
Custom User Restrictions(ideally Admin rights -new account creation)-vs-1.jpg
Custom User Restrictions(ideally Admin rights -new account creation)-vs-2.jpg
File safety is determined and the user can choose to allow the file to run. In "Autopilot Mode" the decision is made entirely by VoodooShield so the file shown in the above screenshots would be blocked and blacklisted.

There's a user guide for the current stable version here:

Code:
http://www.voodooshield.com/Download/VoodooShieldUserGuide.pdf
Note: That version does not include Autopilot Mode.

I'm not recommending the software - just posting the info for consideration.


My System SpecsSystem Spec
26 Jun 2016   #5
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Okay forget that last post. It won't prevent creation of another user account. Actually even if you only let him have a standard user account there are ways around restrictions that will allow him to create new user accounts.

Dig about in your router settings and take a look at this:

https://dns.norton.com/configureRouter.html
My System SpecsSystem Spec
26 Jun 2016   #6
Gargtholomew

Win7 ult x64
 
 

Thank you very much for your time and information. I will try your suggestion as I have tried open DNS before, however for some reason it stopped working. I will have to find a way to lock the router away won't I to prevent him from just resetting it? He's less computer savvy than I am(so that why I wanted to try that other stuff first) but hopefully not willing to damage anything when alone.

I will try that and let you know, if in the meantime any other suggestions are available please do not hesitate to let me know.

Thank you again.
My System SpecsSystem Spec
26 Jun 2016   #7
Alejandro85

Windows 7 Ultimate x64
 
 

Those are opposing requirements. If you want to limit anything, the user MUST be standard.
Admins, by design, have control over everything, incluiding removing any restriction placed on them by any means. An admin account can impose restrictions, but can also lift them, install and uninstall software at will, and virtually owns the system. The only way to prevent those is to derprive the account of administrator access.


Quote   Quote: Originally Posted by Callender View Post
Actually even if you only let him have a standard user account there are ways around restrictions that will allow him to create new user accounts.
Standard user accounts cannot create new user accounts, nor change anything about other accounts or delete them. At most, they can change their own password, and only if an admin allows that. If that were possible, it would defeat the purpose of the standard account.
My System SpecsSystem Spec
26 Jun 2016   #8
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Surely Admin Accounts can be created using a boot CD? RE: Locking router away. Routers have passwords.
My System SpecsSystem Spec
26 Jun 2016   #9
Alejandro85

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Callender View Post
Surely Admin Accounts can be created using a boot CD? RE: Locking router away. Routers have passwords.
Yes, it's possible to circumvent pretty much every limitation by using an external OS, or putting the hard disk into another computer, you can tweak anything with an offline OS, including things you don't have permissions normally.

This is actually a much greater problem. A person with access to the computer can always do that, no matter how many restrictions you put in place. If the OS isn't running it can't obviously prevent such things (and this isn't a vulnerability of Windows, any OS is susceptible to the very same thing).

The real problem is physical access. Anyone with it can simply boot off another medium and bypass the OS completely. You can even remove the HD and the attacker will use that boot CD with a portable OS to do whatever he wants with the hardware. There is no way around this.
Full disk encryption prevent tampering with the OS (without knowing the password), but they can still use it from the mobile OS, or just wipe your disk, or try to discover your password.

The same kind of attack is possible against the router. You can put a password on its admin interface, then the attacker disconnect it and uses it's special reset button and every setting (including the password) goes to default again. All because they have physical access to the equipment.

The moral of the history is that physical access means "game over, the attacker won".
The best we can aim to do is to protect things with an online OS, but with physical access you can't prevent attacks against it going offline.
My System SpecsSystem Spec
26 Jun 2016   #10
Gargtholomew

Win7 ult x64
 
 

Quote   Quote: Originally Posted by Gargtholomew View Post
I will have to find a way to lock the router away won't I to prevent him from just resetting it?
I guess that is really my best solution. Doing the above combined with the IP re-route. Thank you very much guys and have a great day. I will let you guys know if I come up with something else that works.
My System SpecsSystem Spec
Reply

 Custom User Restrictions(ideally Admin rights -new account creation)




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Installing rights to standard user or prevent an admin user something
I tried to google this and it seems neither is possible but I wanted to hear the truths from the horses mouth. I have a Win 7 Pro x64 computer with 2 users who boths needs to be able (this really is a must) install software on the computer but they can't have access to each other's private...
General Discussion
User account control - restrictions
I have just installed & 32ibt Home Premium on an old Vista machine that I could not rectify the mess it was in. The problem is that my friends children accessed iTunes, free games, P2P stuff / sites. some unsavoury stuff from their friends phones etc and heaven knows what else and she is sick...
System Security
admin user lost some admin rights
I can't delete a file from the desktop. When I try, it says to get the rights from the specified admin user (which I'm logged on). The strange thing is that I still can create other users from this account (including admins). Any suggestion on what to do?
BSOD Help and Support
Standard User Account Restrictions
I want to stop my son from accessing 'my docs'. He has a basic account and I am administrator. How do I do this? Thanks.
General Discussion
Setting high restrictions for a user account
Hello all, I have two accounts on my computer and want to keep one locked down when my kids are on it. Of course I want my Admin account to have full control and my kids account to have very limited functions. I installed somes games for them to play and I don't want them messing around with...
System Security
User Account or Admin rights to install softwares??
Hi there you all! I just installed windows 7 64bit and i am having this new enigma with the proper way of installing my apllications: I read that there are some applications that should be installed using the "run as administrator" option, and some of them not. My question is how do i know a...
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 08:24.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App