Windows xp lockdown
August 11, 2009 12:49 PM Subscribe
What's a simple way in windows xp to prevent a user from doing anything but using one program?
An employee was recently caught playing solitare on the clock at a computer terminal that is used to search an access database. I am tasked with locking the computer. I know I could just delete the games, but I'm looking for something more complete, and I may not be able to log in as the administrator.
So, are there any simple ways I can prevent users from doing anything except using access? They don't need to open the program, just use it. Also, the users aren't terribly computer literate, so if it just appears that they can't do anything else, that might be sufficient. Is there any way to get a program to go full screen and hide the minimize/maximize/close, and keep the start bar from poping up?
Also keep in mind that I don't have the administrator password, although i could get it if I absolutely had to. So, anything that could be done without that would be best, although I would like to know what options there are if I did have the password.
If software is used I would prefer for it to be freeware.
Thanks for any suggestions! I know there are multiple ways to do this, but I'm trying to figure out what would be best.
An employee was recently caught playing solitare on the clock at a computer terminal that is used to search an access database. I am tasked with locking the computer. I know I could just delete the games, but I'm looking for something more complete, and I may not be able to log in as the administrator.
So, are there any simple ways I can prevent users from doing anything except using access? They don't need to open the program, just use it. Also, the users aren't terribly computer literate, so if it just appears that they can't do anything else, that might be sufficient. Is there any way to get a program to go full screen and hide the minimize/maximize/close, and keep the start bar from poping up?
Also keep in mind that I don't have the administrator password, although i could get it if I absolutely had to. So, anything that could be done without that would be best, although I would like to know what options there are if I did have the password.
If software is used I would prefer for it to be freeware.
Thanks for any suggestions! I know there are multiple ways to do this, but I'm trying to figure out what would be best.
Is the access to the DB through a web app? If so try using explorer in kiosk mode and see if that works for you.
posted by fingerbang at 12:53 PM on August 11, 2009
posted by fingerbang at 12:53 PM on August 11, 2009
If they're not terribly computer literate, you may want to simply go the route of removing the executables (hell, maybe just deleting the shortcuts from their menu bar will do it- relatively few people know the executable names anyway). Setting policies at the level you're talking about would almost certainly require administrator access, not just to the machine, but to the Active Directory.
posted by Pragmatica at 1:00 PM on August 11, 2009
posted by Pragmatica at 1:00 PM on August 11, 2009
It might be possible to replace the Windows shell (explorer.exe) with something else via a registry edit (this is how Litestep and Geoshell users replace the taskbar), but I'm not sure you can do that without being an Administrator.
Without being logged in as an Administrator, you should still be able to hide the taskbar, then set Access to run, maximized, on startup.
posted by box at 1:02 PM on August 11, 2009
Without being logged in as an Administrator, you should still be able to hide the taskbar, then set Access to run, maximized, on startup.
posted by box at 1:02 PM on August 11, 2009
Response by poster: Like I said, I could get the administrator password, it would just require jumping through hoops (either resetting it via slightly dubious means, or tracking down whoever has it). You have to understand that I'm at a place with a nonexistent IT department, and a nightmare of a workflow when it comes to these kinds of things. I just happen to be the resident computer nerd who gets "tasked" with these kinds of things.
Access to the DB is through access itself, so kiosk mode isn't an option. If there was a way I could run access in a kiosk-like mode, that would be ideal.
Anyone know of a program that might do something like that? Even better, that would password protect it?
Also, if I did have administrator access, what kind of options would I have?
posted by kraigory at 1:10 PM on August 11, 2009
Access to the DB is through access itself, so kiosk mode isn't an option. If there was a way I could run access in a kiosk-like mode, that would be ideal.
Anyone know of a program that might do something like that? Even better, that would password protect it?
Also, if I did have administrator access, what kind of options would I have?
posted by kraigory at 1:10 PM on August 11, 2009
Response by poster: In response to Chocolate Pickle- what are the best ways of doing that?
posted by kraigory at 1:13 PM on August 11, 2009
posted by kraigory at 1:13 PM on August 11, 2009
Look into the free Windows SteadyState tool, which has a bunch of settings for controlling user behavior and program access on public or shared access computers. It can probably do what you want.
posted by paulsc at 1:14 PM on August 11, 2009
posted by paulsc at 1:14 PM on August 11, 2009
What's a simple way in windows xp to prevent a user from doing anything but using one program?
The simplest of simple ways is to ask the user not to.
The second simplest is not to get too worked up about it, if for no other reason than that if you lock down a computer, the user is prevented from learning anything else or growing their skill set, and you can seriously never trust them anywhere because they think if it's not locked down it's perfectly okay.
posted by A Terrible Llama at 1:14 PM on August 11, 2009
The simplest of simple ways is to ask the user not to.
The second simplest is not to get too worked up about it, if for no other reason than that if you lock down a computer, the user is prevented from learning anything else or growing their skill set, and you can seriously never trust them anywhere because they think if it's not locked down it's perfectly okay.
posted by A Terrible Llama at 1:14 PM on August 11, 2009
You could use Group Policy (would require Admin login) to really lock down the desktop and start menu. For the average user - this would get the job done. I am sure an enterprising user could get by the policy.
posted by jaythebull at 1:15 PM on August 11, 2009
posted by jaythebull at 1:15 PM on August 11, 2009
Response by poster: A Terrible Llama- I completely agree with you- I'd really rather not lock it down, but unfortunately it wasn't my decision.
posted by kraigory at 1:16 PM on August 11, 2009
posted by kraigory at 1:16 PM on August 11, 2009
You can prevent it, but it would require software with a feature called "application Control" or application lockdown. It's commonly found in antivirus or intrusion prevention applications aimed at the corporate market, rather than the consumer.
However, it most likely won't be freeware, and it almost certainly will require Administrator credentials to install.
posted by deadmessenger at 1:20 PM on August 11, 2009
However, it most likely won't be freeware, and it almost certainly will require Administrator credentials to install.
posted by deadmessenger at 1:20 PM on August 11, 2009
A Terrible Llama- I completely agree with you- I'd really rather not lock it down, but unfortunately it wasn't my decision.
Yeah, I figured. It's a personal pet peeve of mine and I like to rant about it. People think 'control' is a substitute for managing, training, and hiring competent people in the first place.
Drives me nuts. And Access databases, because they straddle this weird intersection of complicatedness and user-friendliness, bring out the worst inclinations in people.
Hoo boy. My sympathies.
posted by A Terrible Llama at 1:24 PM on August 11, 2009
Yeah, I figured. It's a personal pet peeve of mine and I like to rant about it. People think 'control' is a substitute for managing, training, and hiring competent people in the first place.
Drives me nuts. And Access databases, because they straddle this weird intersection of complicatedness and user-friendliness, bring out the worst inclinations in people.
Hoo boy. My sympathies.
posted by A Terrible Llama at 1:24 PM on August 11, 2009
Best answer: It might be possible to replace the Windows shell (explorer.exe) with something else via a registry edit
You could even just set access to be the shell. (If you needed too, you could then still run explorer by doing alt+ctrl+delete, then task manager, then going to the file menu and selecting "new task" and running explorer.exe)
Anyway, if you delete solitaire and minesweeper, and users don't have access to install new applications, what are they going to do?
The ironic thing is that even if you wanted to make it so that they couldn't launch apps from explorer, they could still launch programs from Access, since it has a scripting language. Just create a new form and add a button to launch whatever program you want.
Your goal here should really just be to make it unlikely for users to run these other applications, rather then impossible.
posted by delmoi at 1:31 PM on August 11, 2009 [1 favorite]
You could even just set access to be the shell. (If you needed too, you could then still run explorer by doing alt+ctrl+delete, then task manager, then going to the file menu and selecting "new task" and running explorer.exe)
Anyway, if you delete solitaire and minesweeper, and users don't have access to install new applications, what are they going to do?
The ironic thing is that even if you wanted to make it so that they couldn't launch apps from explorer, they could still launch programs from Access, since it has a scripting language. Just create a new form and add a button to launch whatever program you want.
Your goal here should really just be to make it unlikely for users to run these other applications, rather then impossible.
posted by delmoi at 1:31 PM on August 11, 2009 [1 favorite]
(well, and of course deleting the files would make it impossible unless they were reinstalled)
posted by delmoi at 1:32 PM on August 11, 2009
posted by delmoi at 1:32 PM on August 11, 2009
Response by poster: yeah- i agree about Access too, it's a nightmare. Worse yet, I'm stuck using access '95 because of a draconian corporate IT department... yeah... access '95...
I decided i'm just going to use Ophcrack (about.com) to get the admin password. It's not connected to the network even so no one will know, or care.
So, admin rights requiring solutions are a go.
posted by kraigory at 1:34 PM on August 11, 2009
I decided i'm just going to use Ophcrack (about.com) to get the admin password. It's not connected to the network even so no one will know, or care.
So, admin rights requiring solutions are a go.
posted by kraigory at 1:34 PM on August 11, 2009
Best answer: You could conspicuously station a fake camera so that it points at the workstation.
posted by ignignokt at 1:34 PM on August 11, 2009
posted by ignignokt at 1:34 PM on August 11, 2009
Best answer: Also, if I did have administrator access, what kind of options would I have?
You would be able to set a local policy that would forbid the user from anything other than assigned applications. This is the document with directions how to do so.
posted by anti social order at 1:36 PM on August 11, 2009 [1 favorite]
You would be able to set a local policy that would forbid the user from anything other than assigned applications. This is the document with directions how to do so.
posted by anti social order at 1:36 PM on August 11, 2009 [1 favorite]
Response by poster: Setting access as the shell sounds like a good idea- no one using the computer would know to just ctl-alt-del and run explorer.exe, but that way I could still bring up the desktop when I needed to. How would I go about doing that?
posted by kraigory at 1:37 PM on August 11, 2009
posted by kraigory at 1:37 PM on August 11, 2009
Well, since you're getting Admin rights, you can use Group Policy.
Fire up the Group Policy editor (Start, Run, gpedit.msc).
Under User Configuration\Administrative Templates\System, there's a setting called "Run only allowed Windows applications". Enable that policy and then create a list of the applications you want the user to be able to run.
posted by JaredSeth at 1:38 PM on August 11, 2009
Fire up the Group Policy editor (Start, Run, gpedit.msc).
Under User Configuration\Administrative Templates\System, there's a setting called "Run only allowed Windows applications". Enable that policy and then create a list of the applications you want the user to be able to run.
posted by JaredSeth at 1:38 PM on August 11, 2009
FYI - this policy can be set to only allow certain EXE files to load. All other EXE, COM, BAT etc would not execute. It's very useful for hostile user environments.
posted by anti social order at 1:38 PM on August 11, 2009
posted by anti social order at 1:38 PM on August 11, 2009
Only apply the policy to the specific user account, not your account.
posted by anti social order at 1:39 PM on August 11, 2009
posted by anti social order at 1:39 PM on August 11, 2009
Alternatively, you could use the complimentary policy (in the same spot in the Group Policy editor): Don't run specified Windows applications
posted by JaredSeth at 1:40 PM on August 11, 2009
posted by JaredSeth at 1:40 PM on August 11, 2009
The solution we use on ... all of our accounts... to lock down machine usage is a piece of software called Fortres 101. Without the fortres password, or the ability to boot to another media, it does make it _impossible_ to do things that are disallowed. Very easy to set up too. mefimail me if you have questions about it.
posted by frwagon at 1:41 PM on August 11, 2009
posted by frwagon at 1:41 PM on August 11, 2009
Last spam - this gets into the details about configuring the policies. I would avoid being complicated with this - just set the restrictions on the local system for the single user. Any other user logging in will not have this applied.
http://technet.microsoft.com/en-us/library/bb457006.aspx
posted by anti social order at 1:41 PM on August 11, 2009
http://technet.microsoft.com/en-us/library/bb457006.aspx
posted by anti social order at 1:41 PM on August 11, 2009
There is no simple way to do this. And yes, you will need the admin password or an admin account. You will also need to test your software on a limited account because thats the first step: making a limited user to run this application. This might involve you giving directory or registry permissions so the application runs right as limited user.
Now you can go into gpedit.msc and start removing things under user config > admin templates > start menu & taskbar, as well as under desktop.
Remove all the entries under program files for his profile and all users under c:\documents and settings. Put only the icons he needs. Feel free to delete the executables for xp games, calc, paint, or whatever. He should now have a more or less blank desktop with no extra buttons.
Now if you need IE but he doesnt need the internet you can remove the entries from the DNS under networking. If he needs access to say 2 servers, SQL01 and DC01 put them in the hosts file with their proper IPs.
So now he should not have privs, buttons, and DNS. For a more step-by-step way of doing this google the terms "XP kiosk how."
posted by damn dirty ape at 1:47 PM on August 11, 2009
Now you can go into gpedit.msc and start removing things under user config > admin templates > start menu & taskbar, as well as under desktop.
Remove all the entries under program files for his profile and all users under c:\documents and settings. Put only the icons he needs. Feel free to delete the executables for xp games, calc, paint, or whatever. He should now have a more or less blank desktop with no extra buttons.
Now if you need IE but he doesnt need the internet you can remove the entries from the DNS under networking. If he needs access to say 2 servers, SQL01 and DC01 put them in the hosts file with their proper IPs.
So now he should not have privs, buttons, and DNS. For a more step-by-step way of doing this google the terms "XP kiosk how."
posted by damn dirty ape at 1:47 PM on August 11, 2009
To change the shell (from here):
Sidenote: I figured out several ways to get past Fortres 101 in high school (at least the version from, uh, 8 years ago).
posted by spiderskull at 1:56 PM on August 11, 2009
- Start -> Run -> "regedit"
- go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
- Change Shell from explorer.exe to the new shell path e.g c:\Program Files\MSOffice\[...]
- log out and log back in.
Sidenote: I figured out several ways to get past Fortres 101 in high school (at least the version from, uh, 8 years ago).
posted by spiderskull at 1:56 PM on August 11, 2009
Oh, I almost forgot, enable the policy to disable task manager too. It has an "run this program" feature. Run in the start menu will be disabled via my earlier instructions.
posted by damn dirty ape at 2:03 PM on August 11, 2009
posted by damn dirty ape at 2:03 PM on August 11, 2009
This thread is closed to new comments.
posted by Chocolate Pickle at 12:51 PM on August 11, 2009