Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

Windows Vista : Ultimate Restricted Account, HELP!

Mar 5, 2012 11:28PM PST

Alright, at work we usually don't deal with a lot of desktop computers and everythign we do here is mostly linux/unix based. I have a whole bunch of new systems that run windows vista and we have students that use them, the students should only be allowed to access what is on the desktop and that is it. Some PDF Files, and a couple of other programs (which we don't have the software for and are already installed.) What I want to do is completely limit any kind of access that the students have to be able to manipulate the computer at all. This means no changes of any kind...no other programs, no personalizing their screens, no screen savers, no pictures, no media, nothing....JUST what is on the desktop. So far I have attempted to go into gpedit to do this but after limiting what I though was everything some students eventually got past it all. Is there anyway to make a completely locked account, or is there any software that can assist with this? Please help, I don't have a lot of time.

Discussion is locked

- Collapse -
Answer
This is not a feature of Windows.
Mar 5, 2012 11:42PM PST

You are asking to lock down a PC and since it is a PC, access = you can do what you want. It only takes a little time to learn this about Windows PCs so take that much time at least.
Bob

- Collapse -
Answer
Your best bet
Mar 6, 2012 1:16AM PST

Your best bet, and just for the record I agree with Bob, would be to set up an ActiveDirectory domain. This allows you to access a bunch of permissions and what not which are not otherwise easily accessible in Windows, and you can apply it to all the systems at the same time, managed from a central location.

It's certainly not fool proof, and anyone who can exploit some kind of local privilege escalation bug can still do a bit of damage if they want. We won't even get into the possibilities posed by LiveCDs and the like.

What you may want to consider as an alternative, is not even trying. There are programs like Deep Freeze which will essentially lock a system configuration in place. While someone is free to make any changes they want while running the system, as soon as you reboot the OS is reverted back to that specific state you set it at. In essence, it reimages the drive every time you reboot.

I might also consider putting up a desktop wallpaper just saying that logins are tracked, and periodically audited. So anyone caught doing anything they shouldn't be, will be subject to some kind of sanction. Then, assuming you have a lab or something set up, you just post a couple copies of the rules, and add to the text on the wallpaper image that copies of the rules are posted, and if they have any questions to direct them to one of you lot who manage the systems. And just for good measure, maybe every so often, under the posting of the rules, put up a log of everyone who has logged in, the time, etc, just to make it clear it's not an empty threat. You could probably even just fake one, and most people would never know the difference.