locked
User Locked down, unable to start any programs RRS feed

  • Question

  • I have steady state installed on XP.  I have a user fully locked down, highest level on everything, but no blocked programs at all.

    I want the user to be able to load a couple of specific programs.  I have dropped shortcuts to their start menu, startup and desktop.  They can see the shortcuts but when they try to open them, it doesn't allow the program to run stating that the administrator has turned off this priveledge.

    I have looked through all of steady state and see no other options for allow/disallowing programs.
    Wednesday, October 7, 2009 10:35 AM

Answers

  • Sean,

      Thanks.  I tried that, and unfortunately it does not work.  Geovision's Control Center must be one of the programs to add to the list of those that won't work with steadystate.

      I allowed the task manager to function, and could see the process for the software start, but shut down after a couple of seconds.

       After much trying, the only way in which i can get it to work is to turn of the function of not allowing the user to make any permanent changes to their profile.

      If i turn that off, the software then works.

      Not the ideal solution but a work around.

      Thanks for all your help Sean.
    • Marked as answer by Sean Zhu - Wednesday, October 14, 2009 4:07 AM
    Tuesday, October 13, 2009 9:22 PM

All replies

  • Hi simo923, does the issue occur on all applications? Does the application require administrator privilege? Can you let me know the exact error message?
    Sean Zhu - MSFT
    Thursday, October 8, 2009 6:22 AM
  • Windows cannot open this program because it has been prevented by a software restriction policy.  For more information, open Event Viewer or contact your System Admin.

    There are no blocked programs in Steadystate.

    I can open other MS programs such as backgammon, Messenger, etc.  But cannot open any txt, exe or such files from the program location. (ie, the specific program that i am trying to open.)
    Thursday, October 8, 2009 9:42 AM
  • Ok, so i found the problem.  The program is not installed under Program Files so i unchecked the relevant box in Steady State.  Now i have access, kind of.  Because steady state puts the user in the limited role, i cannot run the program. The program requires admin acccess to run.  Is there any way around this?  I have set the program folder as users have full control but i still cannot run it.
    Thursday, October 8, 2009 10:36 AM
  • Hi simo923, if the program does require admin privilege, I consider there is nothing to do with Windows SteadyState or workaround this by checking or unchecking restrictions in SteadyState. We can elevate the user to admin and continue using SteadyState to restrict the user.
    Sean Zhu - MSFT
    Monday, October 12, 2009 6:12 AM
  • Sean,  Thanks for the replies.  If i could make the user an admin and use steadystate to restrict them, that would be great.  How would i go about trying this as i have tried to make them an admin and apply steadystate but it still restricted them.

    Thanks
    Monday, October 12, 2009 10:00 AM
  • Hi, you can check SteadyState handbook on page 50:

    Creating a Restricted Shared Administrative Account

    For users to run applications that are not designed to run on Windows XP, a restricted shared administrative account can be created for the purpose of operating nonstandard software, such as Internet-based and network-based multiplayer games. Some older educational programs also require more administrative access than is allowed with a typical Windows SteadyState user account with a restricted shared user profile.

    For a list of non-Microsoft programs that do not work with typical Windows SteadyState shared user accounts, see Microsoft Knowledge Base Article #307091 at:                       http://go.microsoft.com/fwlink/?LinkId=83434.

    A restricted shared administrative account is an unlocked user profile in which most restrictions have been removed. This type of unrestricted user account allows access to the increased permissions necessary to run nonstandard applications.

    Before you create a shared administrative account for general users, consider the following questions:

    §  Can the nonstandard software be upgraded to or replaced with a version that runs correctly with limited user privileges on Windows XP?

    §  Can the software be removed from your environment with a limited effect on your business needs?

     

    If the answer to either of the preceding questions is “no,” you can create a restricted shared administrative account.

    Note: If the shared computer is connected to a network, network policy might prevent you from completing this procedure if you are not an administrator of the network domain.


    You can download the handbook via the following link:

    http://www.microsoft.com/downloads/details.aspx?FamilyId=F829BB8B-C7A9-426B-A7A4-2B504A6238D2&displaylang=en

    Hope this helps!

    Sean Zhu - MSFT
    Tuesday, October 13, 2009 6:32 AM
  • Sean,

      Thanks.  I tried that, and unfortunately it does not work.  Geovision's Control Center must be one of the programs to add to the list of those that won't work with steadystate.

      I allowed the task manager to function, and could see the process for the software start, but shut down after a couple of seconds.

       After much trying, the only way in which i can get it to work is to turn of the function of not allowing the user to make any permanent changes to their profile.

      If i turn that off, the software then works.

      Not the ideal solution but a work around.

      Thanks for all your help Sean.
    • Marked as answer by Sean Zhu - Wednesday, October 14, 2009 4:07 AM
    Tuesday, October 13, 2009 9:22 PM