locked
Control Panel-created user accounts versus SteadyState-created user accounts RRS feed

  • Question

  • I installed SteadyState 2.5 recently and while experimenting with user accounts, I made some interesting discoveries:

    • CP-created accounts (both Admin and Standard) prior to installing SS automatically appeared in SS UI;
    • SS-created accounts automatically appeared in CP User UI as Standard accounts;
    • SS-created accounts can be changed to Admin via CP User UI;
    • After SS is installed, I can still create Admin and Standard accounts in CP and these new accounts will also appear automatically in SS;
    • I am able to customize settings and restrictions for all accounts, regardless whether they are created in SS or CP before or after installing SS

    I'd like to seek clarifications on these:

    1. When applying restrictions to a CP-created Admin account, do these restrictions take precedence over the wide-ranging Admin rights? Does the Admin account still retain those Admin privileges and rights not specifically restricted by SS?
    2. Conversely, if a SS-created Standard account is changed to Admin via Control Panel, does it still retain those restrictions set by SS?
    3. Are these by design or are they bugs?

    Please help. Thanks.

    Saturday, June 5, 2010 8:11 AM

Answers

  • 1. When applying restrictions to a CP-created Admin account, do these restrictions take precedence over the wide-ranging Admin rights? Does the Admin account still retain those Admin privileges and rights not specifically restricted by SS?

    Those restrictions in Global Computer Settings should apply on every user on the computer regardless of the account is administrator or not. But you can still define specific restrictions for a administrator. For such restricted administrator, it still has administrator privileges.  

    2. Conversely, if a SS-created Standard account is changed to Admin via Control Panel, does it still retain those restrictions set by SS?

    Yes.

    3. Are these by design or are they bugs?

    Yes, this is by design. For a restricted administrator, you can add SS to block programs so that this user cannot use SS to change restrictions.

    Hope this helps!

     


    Sean Zhu - MSFT
    • Marked as answer by LT Ng Monday, June 7, 2010 6:40 AM
    Monday, June 7, 2010 2:49 AM

All replies

  • 1. When applying restrictions to a CP-created Admin account, do these restrictions take precedence over the wide-ranging Admin rights? Does the Admin account still retain those Admin privileges and rights not specifically restricted by SS?

    Those restrictions in Global Computer Settings should apply on every user on the computer regardless of the account is administrator or not. But you can still define specific restrictions for a administrator. For such restricted administrator, it still has administrator privileges.  

    2. Conversely, if a SS-created Standard account is changed to Admin via Control Panel, does it still retain those restrictions set by SS?

    Yes.

    3. Are these by design or are they bugs?

    Yes, this is by design. For a restricted administrator, you can add SS to block programs so that this user cannot use SS to change restrictions.

    Hope this helps!

     


    Sean Zhu - MSFT
    • Marked as answer by LT Ng Monday, June 7, 2010 6:40 AM
    Monday, June 7, 2010 2:49 AM
  • Thanks for your clarifications.

    So, am I right to say that EITHER I create an Admin account in CP first and then set restrictions in SS, OR I create an account in SS first, set identical restrictions and then convert it to Admin in CP, the resulting RESTRICTED ADMINISTRATOR is identical in terms of its administrative privileges?

    Which method would you recommend as the best practice for creating restricted administrator?

    Thanks again.

    Monday, June 7, 2010 6:38 AM
  • Yes, you are correct.

    You can also download Windows SteadyState handbook on how to create a restricted administrator. For your reference, I included the following steps:

    Creating a Restricted Shared Administrative Account

    For users to run applications that are not designed to run on Windows XP, a restricted shared administrative account can be created for the purpose of operating nonstandard software, such as Internet-based and network-based multiplayer games. Some older educational programs also require more administrative access than is allowed with a typical Windows SteadyState user account with a restricted shared user profile.

    For a list of non-Microsoft programs that do not work with typical Windows SteadyState shared user accounts, see Microsoft Knowledge Base Article #307091 at:                       http://go.microsoft.com/fwlink/?LinkId=83434.

    A restricted shared administrative account is an unlocked user profile in which most restrictions have been removed. This type of unrestricted user account allows access to the increased permissions necessary to run nonstandard applications.

    Before you create a shared administrative account for general users, consider the following questions:

    <span style="font-family: Wingdings; mso-fareast-font-family: Wingdings; mso-bidi-font-family: Wingd


    Sean Zhu - MSFT
    Wednesday, June 9, 2010 1:27 AM