1. Log on as the Windows SteadyState administrator. You must also be logged on as an administrator or a member of the Administrators group to add a shared user account to the Administrators group on the computer.

2. Click Start, and then click Control Panel.

3. Do one of the following:

   • If you are running Windows XP, in Control Panel, double-clickUser Accounts.
     
   • If you are running Windows Vista, in Control Panel, click Change account type.
     

4. On the Users tab, under Users for this computer, click the shared user account that you want to add to the Administrators group, and then click Properties.

5. On the Group Membership tab, select the Other option, choose Administrators from the drop-down list, and then click OK.

After the shared user account has been added to the Administrators group, use Windows SteadyState to restrict the shared administrative account access to all programs and settings, with the exception of the increased permissions that are necessary to run nonstandard applications.

Important:
Removing restrictions on a user account to open up administrative access for non-Microsoft software increases exposure to security risks associated with allowing unrestricted accounts in Windows SteadyState, and may produce an unstable environment on the shared computer.

1. Log on as the Windows SteadyState administrator.

2. Click Start, point to All Programs and then point to Windows SteadyState.

3. On the Windows SteadyState main dialog box, under User Settings, click the shared administrative user profile you created.

4. On the General tab, under General Settings, select the Lock profile to prevent the user from making permanent changes box.

5. On the Windows Restrictions tab, select the High restrictions option. Under Start Menu Restrictions in the list, you may want to leave all of the restrictions selected; clearing any of the restrictions may create a security risk for the shared computer. However, for individual nonstandard applications you can turn off some of these restrictions.

6. In the Hide Drives section, select the drives you want to hide from the restricted administrative user.

To help secure the shared computer, you may want to configure the following restrictions to limit a restricted administrator’s access to system files and program folders:

• On the Block Programs tab, click Browse, and then select sctui.exe. In the left program list, select Windows SteadyState Aministrator Utility (GUI), and then click Block. This will prohibit the restricted administrator user account from modifying any settings in Windows SteadyState.
  
• On the Block Programs tab, click Browse, and then select bubble.exe. In the left program list, select Windows SteadyState Bubble Messages, and then click Block. This will prohibit the restricted administrator user account from saving changes in the cache file that will be deleted by Windows Disk Protection.
  
• On the Windows Restrictions tab, under General Restrictions in the list, select the Disable Notepad and WordPad check box. This will prohibit the restricted administrator user account from modifying critical scripts and batch files to bypass security.
  
• On the Windows Restrictions tab, under Start Menu Restrictions, select the Prevent programs in the All Users folder from appearing check box and the Remove the Help and Support icon check box. This will prevent programs from appearing on the Start menu when the restricted administrative user is logged on.
  
• On the Feature Restrictions tab, click the Microsoft Office Restrictions check box. This will prohibit the restricted administrator from running Microsoft Office programs that are unrelated to nonstandard applications that they are running.