For users to run applications that are not designed to run on Windows XP, a restricted shared administrative account can be created for the purpose of operating nonstandard software, such as Internet-based and network-based multiplayer games. Some older educational programs also require more administrative access than is allowed with a typical Windows SteadyState user account with a restricted shared user profile.
For a list of non-Microsoft programs that do not work with typical Windows SteadyState shared user accounts, see Microsoft Knowledge Base Article #307091.
Note: |
---|
A restricted shared administrative account for the above scenarios is not necessary for computers running Windows Vista. |
A restricted shared administrative account is an unlocked user profile in which most restrictions have been removed. This type of unrestricted user account allows access to the increased permissions necessary to run nonstandard applications.
Before you create a shared administrative account for general users, consider the following questions:
- Can the nonstandard software be upgraded to or replaced with a
version that runs correctly with limited user privileges on Windows
XP?
- Can the software be removed from your environment with a
limited effect on your business needs?
If the answer to either of the preceding questions is “no,” you can create a restricted shared administrative account.
Note: |
---|
If the shared computer is connected to a network, network policy might prevent you from completing this procedure if you are not an administrator of the network domain. |
To add a shared user account to the Administrators group on the computer
-
Log on as the Windows SteadyState administrator. You must also be logged on as an administrator or a member of the Administrators group to add a shared user account to the Administrators group on the computer.
-
Click Start, and then click Control Panel.
-
Do one of the following:
- If you are running Windows XP, in Control
Panel, double-clickUser
Accounts.
- If you are running Windows Vista, in Control Panel, click Change
account type.
- If you are running Windows XP, in Control
Panel, double-clickUser
Accounts.
-
On the Users tab, under Users for this computer, click the shared user account that you want to add to the Administrators group, and then click Properties.
-
On the Group Membership tab, select the Other option, choose Administrators from the drop-down list, and then click OK.
After the shared user account has been added to the Administrators group, use Windows SteadyState to restrict the shared administrative account access to all programs and settings, with the exception of the increased permissions that are necessary to run nonstandard applications.
Important: |
---|
Removing restrictions on a user account to open up administrative access for non-Microsoft software increases exposure to security risks associated with allowing unrestricted accounts in Windows SteadyState, and may produce an unstable environment on the shared computer. |
To restrict a shared administrative account
-
Log on as the Windows SteadyState administrator.
-
Click Start, point to All Programs and then point to Windows SteadyState.
-
On the Windows SteadyState main dialog box, under User Settings, click the shared administrative user profile you created.
-
On the General tab, under General Settings, select the Lock profile to prevent the user from making permanent changes box.
-
On the Windows Restrictions tab, select the High restrictions option. Under Start Menu Restrictions in the list, you may want to leave all of the restrictions selected; clearing any of the restrictions may create a security risk for the shared computer. However, for individual nonstandard applications you can turn off some of these restrictions.
-
In the Hide Drives section, select the drives you want to hide from the restricted administrative user.
To help secure the shared computer, you may want to configure the following restrictions to limit a restricted administrator’s access to system files and program folders:
- On the Block Programs tab, click
Browse, and then select sctui.exe. In the left program list, select
Windows SteadyState Aministrator Utility
(GUI), and then click Block. This
will prohibit the restricted administrator user account from
modifying any settings in Windows SteadyState.
- On the Block Programs tab, click
Browse, and then select bubble.exe. In the left program list, select
Windows SteadyState Bubble Messages, and
then click Block. This will prohibit the
restricted administrator user account from saving changes in the
cache file that will be deleted by Windows Disk
Protection.
- On the Windows Restrictions tab,
under General Restrictions in the list,
select the Disable Notepad and WordPad
check box. This will prohibit the restricted administrator user
account from modifying critical scripts and batch files to bypass
security.
- On the Windows Restrictions tab,
under Start Menu Restrictions, select
the Prevent programs in the All Users folder
from appearing check box and the Remove
the Help and Support icon check box. This will prevent
programs from appearing on the Start
menu when the restricted administrative user is logged on.
- On the Feature Restrictions tab,
click the Microsoft Office Restrictions
check box. This will prohibit the restricted administrator from
running Microsoft Office programs that are unrelated to nonstandard
applications that they are running.