I need to set up a user in Vista with less permission than the standard user
account. For example, I don't want the user to be able to create ANY files
outside of the profile. I don't want the user to be able to change the
wallpaper or the screen saver. I need to limit the user's access to the
Control Panel more than usual.
Etcetera, etcetera.
How can I customize the account in this way?

"Aetherial" wrote in message
...
I need to set up a user in Vista with less permission than the standard
user
account. For example, I don't want the user to be able to create ANY files
outside of the profile. I don't want the user to be able to change the
wallpaper or the screen saver. I need to limit the user's access to the
Control Panel more than usual.
Etcetera, etcetera.
How can I customize the account in this way?

Exactly how will this computer be used? Different methods are available for
different types of uses. For instance, a public computer needs more
restrictions than an office machine meant for sales people to keep their
records. In general, however, you can:

1) Create a custom user group. Make it a member of the User's group

2) Create the user, adding them to that group and removing that specific
account from the Users group.

3) In NTFS permissions for the Public folders and other folders to which the
Users group can write, use Advanced to deny the custom user group create,
append, and write permissions.

4) Use the group policy snap-in to limit other system options.

Will these less-than-standard users need actually to save documents
permanently? If not, then consider using the Guest account. Any changes
they make to the desktop will be forgotten when they log off, and you can
similarly use group policy to limit them even more from those parts of they
system that you don't want them in. However, if they need to save documents
permanently, you can create a special folder for them.

There are other things to consider in accomplishing what you want, too.
Hopefully, others will reply with their ideas. And if this machine is part
of a domain, the procedure is different.

I recommend consulting a professional for help with this. You might miss
something important or restrict too much.

--
David Dickinson
eveningstar at die-spammer-die dash mvps dot org
Please reply only to the newsgroup, not by email.

I work at a public special-purpose lab attached to a university domain. We
are upgrading to Vista over the summer.
We are also changing the way the lab computers work with the university
domain. Currently, being attached to the domain on XP gives us problems
because users log in using their university account. We don't want them to do
this, so we are limiting domain access. Instead we are making a standard disk
image with the user accounts as we want them, then deploying that image among
all the lab computers.
We considered Guest accounts, but ultimately decided against it because we
need some files and application shortcuts always available, and because we
had problems with using certain system features as Guest. Instead, the
standard account runs a script from a local server which cleans out the
account info between uses. This will also be changed if we find a better
solution.
Essentially, the account I'm working on needs to be only somewhat more
relaxed than say, a public library or internet cafe. The main difference is
that we need a variety of applications to run without a problem on that
account.

"Aetherial" wrote in message
news
Essentially, the account I'm working on needs to be only somewhat more
relaxed than say, a public library or internet cafe. The main difference
is
that we need a variety of applications to run without a problem on that
account.

Then my original suggestion may suffice. But every time you login on the
machine as an administrator, you'll have to use the group policy object
editor snap-in to allow the administrator to do what needs to be done.
However, if you did use the Guest account, running the with software
elevated privileges and assigning a certain folder for saved data might
work. You can always set up the default user with the environment you want
for guests. It might be worth testing that configuration to avoid the
shortcomings of using the local group policy object editor and configuring a
special user.

--
David Dickinson
eveningstar at die-spammer-die dash mvps dot org
Please reply only to the newsgroup, not by email.