How to set up group permissions in Windows XP?
January 2, 2008 9:23 AM   Subscribe

In Windows, how can I set up a group that has permission to create/edit/delete user accounts?

I'm trying to lock down a Windows XP Pro machine as tightly as possible. What I want to do is have a user called 'admin' who users can log in as. This is not a real administrator account; the only thing it should be able to do is create, edit, and delete other user accounts. 'admin' should not have any other extra abilities. The permissions need to be as fine-grained as possible.

This is to meet DoD Navy requirements. My approach until now had been to simply make 'admin' a member of 'Power Users'. But that is not a viable approach since power users can do a whole lot more than just create and delete accounts. The DoD's automated security tool produces gobs of findings about this abuse of 'Power Users'.

So, what I'd like to do is have a group called 'User Administrators', add 'admin' to that group, and set it up so that group has the ability to manage user accounts. This Windows machine is not on a domain and does not have network access, so I only need to (can only) do this using local security policies.
posted by Khalad to Computers & Internet (7 answers total) 1 user marked this as a favorite
Correct me if I'm wrong, but wouldn't allowing account provisioning by someone other than an administrator be a violation of DoD requirements anyway?
posted by JaredSeth at 9:54 AM on January 2, 2008

Response by poster: Well, the purpose is to move away from the old way of doing things, where systems came with a default set of built-in accounts that the sailors use. One of the information assurance improvements they want to make is to have individual accountability, so every user must have their own account.

The way to do that is to have an account administrator role. That is the only shared account. The account administrator creates accounts for each individual sailor.
posted by Khalad at 10:35 AM on January 2, 2008

Khalad, I've been thinking about this on and off all day: could you code up some executables (heck, you could use something as simple as AutoIT...just make sure to disallow decompilation) that run the provisioning tasks you want this 'admin' user to do, but using true administrative credentials? And then say, drop those into a folder that only that account can get to? That way, the account would be able to do what you need it to do, the user can remain a basic user account and the sailors have no other access to administrative rights.

Just throwing something out there. Any obvious holes in this idea?
posted by JaredSeth at 7:43 PM on January 2, 2008

Response by poster: If there's no way to do this the way I've described then yes, I'll probably have to code something up.
posted by Khalad at 7:20 AM on January 3, 2008

Well the right way to do this kind of thing is via rights delegation, but that requires Active Directory.

A really simple solution would be to just create all the accounts in advance - more than they would ever likely need - so if there's 200 sailors you create 5000 accounts Sailor1, Salior2...Sailor5000 with random passwords (and set must change at first login).

Store all the account details in a spreadsheet available only to the 'Admin' accounts. The admins then assign usernames and initial passwords as needed.
If anyone forgets their password - the Admin just assigns them a new account.
posted by Lanark at 11:30 AM on January 3, 2008

Response by poster: Can I use Active Directory with Windows XP, or is that a Windows NT/Server thing only? And is it something I can do in an hour, say, or is it really something better left to a more knowledgeable Windows sysadmin?
posted by Khalad at 11:50 AM on January 3, 2008

Active Directory needs at least one domain controller so you would need to be on a network
posted by Lanark at 12:04 PM on January 3, 2008

« Older Looking for books, articles, podcasts and...   |   Help me find a dashing fedora for my dad, since... Newer »
This thread is closed to new comments.