Comments on: How to set up group permissions in Windows XP?

Question: How to set up group permissions in Windows XP?

Khalad — Wed, 02 Jan 2008 09:23:21 -0800

In Windows, how can I set up a group that has permission to create/edit/delete user accounts?

I'm trying to lock down a Windows XP Pro machine as tightly as possible. What I want to do is have a user called 'admin' who users can log in as. This is not a real administrator account; the only thing it should be able to do is create, edit, and delete other user accounts. 'admin' should not have any other extra abilities. The permissions need to be as fine-grained as possible.

This is to meet DoD Navy requirements. My approach until now had been to simply make 'admin' a member of 'Power Users'. But that is not a viable approach since power users can do a whole lot more than just create and delete accounts. The DoD's automated security tool produces gobs of findings about this abuse of 'Power Users'.

So, what I'd like to do is have a group called 'User Administrators', add 'admin' to that group, and set it up so that group has the ability to manage user accounts. This Windows machine is not on a domain and does not have network access, so I only need to (can only) do this using local security policies.

By: JaredSeth

JaredSeth — Wed, 02 Jan 2008 09:54:44 -0800

Correct me if I'm wrong, but wouldn't allowing account provisioning by someone other than an administrator be a violation of DoD requirements anyway?

By: Khalad

Khalad — Wed, 02 Jan 2008 10:35:50 -0800

Well, the purpose is to move away from the old way of doing things, where systems came with a default set of built-in accounts that the sailors use. One of the information assurance improvements they want to make is to have individual accountability, so every user must have their own account.

The way to do that is to have an account administrator role. That is the only shared account. The account administrator creates accounts for each individual sailor.

By: JaredSeth

JaredSeth — Wed, 02 Jan 2008 19:43:19 -0800

Khalad, I've been thinking about this on and off all day: could you code up some executables (heck, you could use something as simple as AutoIT...just make sure to disallow decompilation) that run the provisioning tasks you want this 'admin' user to do, but using true administrative credentials? And then say, drop those into a folder that only that account can get to? That way, the account would be able to do what you need it to do, the user can remain a basic user account and the sailors have no other access to administrative rights.

Just throwing something out there. Any obvious holes in this idea?

By: Khalad

Khalad — Thu, 03 Jan 2008 07:20:16 -0800

If there's no way to do this the way I've described then yes, I'll probably have to code something up.

By: Lanark

Lanark — Thu, 03 Jan 2008 11:30:51 -0800

Well the right way to do this kind of thing is via rights delegation, but that requires Active Directory.

A really simple solution would be to just create all the accounts in advance - more than they would ever likely need - so if there's 200 sailors you create 5000 accounts Sailor1, Salior2...Sailor5000 with random passwords (and set must change at first login).

Store all the account details in a spreadsheet available only to the 'Admin' accounts. The admins then assign usernames and initial passwords as needed.
If anyone forgets their password - the Admin just assigns them a new account.

By: Khalad

Khalad — Thu, 03 Jan 2008 11:50:34 -0800

Can I use Active Directory with Windows XP, or is that a Windows NT/Server thing only? And is it something I can do in an hour, say, or is it really something better left to a more knowledgeable Windows sysadmin?

By: Lanark

Lanark — Thu, 03 Jan 2008 12:04:26 -0800

Active Directory needs at least one domain controller so you would need to be on a network