Custom User Restrictions(ideally Admin rights -new account creation)

Just wondering is it is possible to leave admin status on a user account while removing the ability to make new accounts. Alternatively could one make a standard account have admin style(ie. altering files, running files as an admin/in admin mode, etc.) rights except the creation of new accounts? Just wondering if that is possible in Windows vanilla or with other software.

If this is answered elsewhere please just post link.

Thank you very much for your time.

It's not possible.

Administrator account are, by design, capable of doing anything, that's the idea of having them in the first place. There are a few ways of imposing restrictions on admin accounts, but being an admin means that the user can simply lift them himself.

The alternative you propose is quite possible, within the limits of normal user accounts. Any account can manage the files within his own profile at will, and change all his personal settings, but nothing else. To perform admin-only tasks, he can use UAC to elevate, where he must provide an admin user/password to gain his privileges temporarily (to be true, it's the admin who actually do that, but within a standard user session, this being the scenario where UAC shines).

What's your idea about this? What do you want to achieve?

I thank you for your response and information. I am trying to prevent my son from getting around the windows family safety monitoring software by making a new profile on his computer but I would like him to retain most other admin rights since other then porn he's a good kid. From what I have read it seems windows family monitoring is a well rounded choice, it just seems to have its limits and I was hoping to work around them. I would not like to have to use UAC all the time for him to have "normal" use of his computer.

Also perhaps yourself or someone else knows if this is possible under window 10? Not sure if the family monitoring is better for it or not.

Perhaps I am missing an even better option that you know of anyway.

Thank you again for your time in this matter.

Thank you very much for your time and information. I will try your suggestion as I have tried open DNS before, however for some reason it stopped working. I will have to find a way to lock the router away won't I to prevent him from just resetting it? He's less computer savvy than I am(so that why I wanted to try that other stuff first) but hopefully not willing to damage anything when alone.

I will try that and let you know, if in the meantime any other suggestions are available please do not hesitate to let me know.

Thank you again.

Those are opposing requirements. If you want to limit anything, the user MUST be standard.
Admins, by design, have control over everything, incluiding removing any restriction placed on them by any means. An admin account can impose restrictions, but can also lift them, install and uninstall software at will, and virtually owns the system. The only way to prevent those is to derprive the account of administrator access.

Callender said:

Actually even if you only let him have a standard user account there are ways around restrictions that will allow him to create new user accounts.

Standard user accounts cannot create new user accounts, nor change anything about other accounts or delete them. At most, they can change their own password, and only if an admin allows that. If that were possible, it would defeat the purpose of the standard account.

Callender said:

Surely Admin Accounts can be created using a boot CD? RE: Locking router away. Routers have passwords.

Yes, it's possible to circumvent pretty much every limitation by using an external OS, or putting the hard disk into another computer, you can tweak anything with an offline OS, including things you don't have permissions normally.

This is actually a much greater problem. A person with access to the computer can always do that, no matter how many restrictions you put in place. If the OS isn't running it can't obviously prevent such things (and this isn't a vulnerability of Windows, any OS is susceptible to the very same thing).

The real problem is physical access. Anyone with it can simply boot off another medium and bypass the OS completely. You can even remove the HD and the attacker will use that boot CD with a portable OS to do whatever he wants with the hardware. There is no way around this.
Full disk encryption prevent tampering with the OS (without knowing the password), but they can still use it from the mobile OS, or just wipe your disk, or try to discover your password.

The same kind of attack is possible against the router. You can put a password on its admin interface, then the attacker disconnect it and uses it's special reset button and every setting (including the password) goes to default again. All because they have physical access to the equipment.

The moral of the history is that physical access means "game over, the attacker won".
The best we can aim to do is to protect things with an online OS, but with physical access you can't prevent attacks against it going offline.

Gargtholomew said:

I will have to find a way to lock the router away won't I to prevent him from just resetting it?

I guess that is really my best solution. Doing the above combined with the IP re-route. Thank you very much guys and have a great day. I will let you guys know if I come up with something else that works.