User Account Restrictions Help

Discussion in 'Windows 7 Help and Support' started by Jalke, Jun 28, 2016.

  1. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    Pretty simple. I created a second user account for my PC. I'm trying to allow it full access & free modifying rights to its desktop, & external drives. No looking through anywhere else on the computer, but able to use shortcuts on the desktop to run programs, along with generating new video files, copying files from another drive... complete editing freedom on the desktop.



    Online suggested Gpedit.msc which I used to restrict access to the C drive whilst allowing use of any desktop items. But this just screwed my other account that could no longer access the C drive, & I couldn't copy / edit items on the Second User's desktop anyway.

    I was trying to Properties -> Security -> Allow/Disallow aspect, but when I ticked one box, it forced all the other boxes to follow/untick. Made no sense.



    Can someone help me out please?
     
  2. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,528
    Likes Received:
    312
    I recommend you formate the hdd and start again... after making any backups needed
     
  3. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    What? Why?

    Edit: Removed the gpedit.msc's restriction so I can still access the C drive. I simply meant it wasn't a viable option because it becomes a nuisance.
     
  4. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,381
    Likes Received:
    360
    Using local group policy is going to restrict access for everyone. You would need enterprise level group policy to do this. Why not just make the second user a standard account. That way that can't do much on the C drive and already have full access to their profile.
     
  5. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    It's more of a "restrict nosiness" & "only allow one or two applications to run".

    So what you're saying is, with my current windows built, I can't achieve this?
     
  6. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,381
    Likes Received:
    360
    Not easily no. If you don't want them looking through the C: drive,
    • Right click on the C: drive > properties > Security.
    • Add the second user account, un-check all the allows and select Deny for "List folder content" (they could still see the content if they are proficient with the command prompt, but other wise they cant browse the C: drive)
     
  7. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    I tried that - but I hit "Deny" on "List Folder Content", but then it deselects EVERYTHING on allow. So I Can't seem to allow anything.

    In addition - if I hit one box on the "Allow" side, it sets them all to allow. What's up with that?
     
    #7 Jalke, Jun 28, 2016
    Last edited: Jun 28, 2016
  8. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,528
    Likes Received:
    312
    the list is top heavy i.e, sellecting allow on a box covers all below it... be VERY careful with deny.
    why does this second account need to be locked out of the c drive?
     
  9. BIGBEARJEDI

    BIGBEARJEDI Honorable Member
    Premium Supporter

    Joined:
    Jan 28, 2013
    Messages:
    1,778
    Likes Received:
    214
    unless you have Win7 Pro, Business, or Enterprise version of Win7 GP policy won't work as you are attempting to do. :noway: So if you have any other Win7 version such as Starter, Basic, or Home; you simply can't do it. Period. You should take our suggestions above to restrict C: drive browsing by another user on your computer by limiting their Account-Type to Standard or Guest as mentioned.

    It turns out that you can buy programs that will accomplish this in the low-end versions of Win7; but they are pretty expensive. In the olden day of XP; you can use something called STEADY STATE from Microsoft and it was availble only with a TechNet annual subscription which most companies paid $600 to $1200 per year for. I don't know if this app suite is available for Win7 low-end editions or not, but it's a lot of work to setup, and requires expert level windows programming skills. If you work in an IT shop or for a Microsoft Partner or Distributor you might be able to find out if this program is still available for Win7 as I mention and get some help making it work if you do get a copy. I spent over 100 hrs. making it work on a couple of XP computers at my local senior center to keep the oldsters from continuously scrambling their 2 PCs. Methods we mention to you above are FREE and a lot less work.;)

    Good luck to you,
    <<<BIGBEARJEDI>>>
     
  10. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,381
    Likes Received:
    360
    Deep Freeze does the same as steady state and you can get single licenses for about $50.
     
    BIGBEARJEDI likes this.
  11. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    Turns out I have Windows 7 Professional :bigtongue:
     
  12. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    I'm letting a younger sibling use the PC to do work, & thus barring any distractions that my Completely-Filled-Up-With-Games-And-Porn PC my bring.

    Yes, just confirming one last time (also noting that I have Win7-Pro if it provides an easier solution), after selecting the User in C -> Properties -> Security tab [user being:: WorkUser (JALKE\WorkUser)] it warns me that I'm about to change permissions on the root directory of the startup disk, which could result in unexpected access problems & the reduction of security. I'm sure it's fine as I'm doing this to a secondary Standard Account as opposed to the Primary Account, but just in case - there's not going to be some paradoxical event that'll force me to re-format the Drive again, right? This is safe? o_O
     
  13. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,381
    Likes Received:
    360
    Yes it will work fine, what you are doing is layered permissions. From the Users group applied the other user should still maintain Read & Execute so the user will function and Deny "List folder contents" from the user specific ACL you are applying.
     
  14. BIGBEARJEDI

    BIGBEARJEDI Honorable Member
    Premium Supporter

    Joined:
    Jan 28, 2013
    Messages:
    1,778
    Likes Received:
    214
    >>>Thanks, Neemo! That's the one I couldn't think of. I know people using this in their companies and it works fine.<<<
    BBJ
     
  15. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    The problem with this, is that it directly conflicts with my previously stated criteria, as follows:
    As for Steady State / Deep Freeze, I don't possess expert level windows programming skills (or so I don't believe), so it looks like I'll have to give this a pass.
     
  16. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,528
    Likes Received:
    312
    while their desktop is on the c drive its also inside their username account folder... in any event, perhaps you should consider a multiboot option?

    the idea is to add a second hdd to the machine and install windows on this drive as a "stand alone" system that does not interface with the 1st (i.e, your) hdd... once you set it up, the worse thing that can happen from your sibling is that he buggers that 2nd hdd and you can always format and start agian.
     
  17. Jalke

    Jalke New Member

    Joined:
    Jun 28, 2016
    Messages:
    8
    Likes Received:
    0
    A really silly point, but I don't like multibooting. Do you think I could relocate the 2nd UserAccount to my E drive or something? So when it uses that user, its desktop is separate from the C drive?
     
  18. ussnorway

    ussnorway Windows Forum Team
    Staff Member Premium Supporter

    Joined:
    May 22, 2012
    Messages:
    2,528
    Likes Received:
    312
    ime the honest answer is no... Microsoft makes systems by the million and when you step outside the norm Windows will be buggered up unless you really know what you are doing the c drive is where your system needs to stay.
     
  19. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,381
    Likes Received:
    360
    Manipulating the ACLs on the C drive would work. The user could still save to the desktop. All "List content" does it prevents the user from navigating to the directory in explorer. Read access would still be intact due to the Users group.
     

Share This Page

Loading...