none
Win XP SP2 machine with Medium User Restrictions is able to see Control Panel RRS feed

  • Question

  •  

    Hi,

     

    I have an issue with a Stead State machine that seems to be not locking an account properly.

     

    I have applied medium Window Restriction to a user, yet they are able to right click on the desktop and go into the display properties. Further, if I enable XP Menus (untick allow only classic menus), then the user can see the control panel and gain full access. Of course, the control panel option is disabled (ticked) in the user restrictions.

     

    I actually have 10 machine that are similar, yet this one behaives oddly.

     

    Chris

     

     

    Monday, January 28, 2008 8:31 PM

All replies

  •  

    Hi Chris,

     

    Thank you for posting here!

     

    Before we go any further, I would like to confirm if issue occur on other computers or user accounts. If this issue only occurs on this computer, let's create a new user profile to test. If this issue doesn't occur on the new user profile, the problem can be related to the user profile.

     

    I also made a local test, however, I cannot reproduce this issue on my side.

    -------------------------

    1. Create a new user profile with  "No restrictions", log on it to test.

    2. Change to  "Medium Restrictions" log on it to test.

    3. Uncheck "Allow only the Classic Start Menu ", test again.

     

    Best Regards,

    Tuesday, January 29, 2008 5:12 AM
  • Was this account at any time an administrative account? I had that happen with an account I created as an administrator. My solution was to create a new account as a user, then transfer what I needed to that account.

     

    Tuesday, January 29, 2008 7:14 PM
  • Hi Chris,

     

    Thank you for your feedback.

     

    Did this issue occur on other computer or user accounts? This information is very important to identify whether this is a account problem or SteadyState issue.

     

    I create a administrator account and then performed the above steps again, still no entrance for Control Panel. Where did you find the Control Panel? Besides the classic Start Menu restriction, do you have some other restriction uncheck when using Medium Restrictions.

     

    By the way, if the user account is an administrator, by default, it can access any component and make changes. SteadyState restrictions can only restrict some User Interface. Some experienced user may bypass or restore the changes through some tricks. Based on my experience, we still recommend creating other type of account for share users. Thank you for your understanding.

     

    Regards,

     

    Wednesday, January 30, 2008 11:15 AM
  • Hi,

     

     The issue seems to occur with just 1 of the 10 PC (but I will check on Friday to be sure). All users were created in the same way, i.e. by creating a user on the first machine, then exporting the profile and importing it back to the other machines using Steady State. I far as I am aware the the user accounts were NOT set as administrators (at least not by me - again I will check on Friday), but are set as limited users.

     

    The Control Panel is visible on the main Start Menu, if the menus are in XP mode. If the menus are in classic mode the control panel is not visible, but I bet it is still accessible. Either way, the user should not be able to enter the display properties, yet by right clicking on the desktop and going to properties, they can. When I selected “Medium Restrictions”, I did not make any alterations, other than to untick “apply classic menus”.

     

    I have not created a new user yet. I will be at the site on Friday, so will have ago then.

     

    As a point of interest, but off topic, the user export/import did not apply as many settings as I would have liked. User’s background, desktop icons and start menu were all set to default user values. Other standard things, like accepting all the IE prompts that are usual with new users, are also not transferred. It would be good if user account settings could be more encompassing so changes could be made to one machine and then the user account could simply be imported and overwrite existing accounts. As it stands, you still have to set up individual user accounts on each machine, and if I require setting changes after that point, I need to manually update each machine.

     

    Chris

    Wednesday, January 30, 2008 1:04 PM
  •  

    Hi Chris,

     

    If there is any update, feel free to post back.

     

    As you may know, the export/import feature only transfer restrictions configured from SteadyState. All the other configurations such as Desktop items, Start menu items, passwords etc. will not be exported. You can open the SSU files which were created by the Export feature. Only registry restrictions were included. FYI, If you would like to transfer the Desktop icons and other user files, you can run Files and Settings Transfer Wizard from Start -> All Programs -> Accessories -> System Tools.

     

    In addition, if there is already a user profile with the same user name on the computer to which you would like to import. The profile settings of the original user will be overwritten by the imported profile. This is also an expected behavior.

     

    Have a nice day!

     

    Regards,

    Thursday, January 31, 2008 4:59 AM
  • OK, I check the machine over today. The account is a limited user. All other machine are behaving as expected.

     

    I have tried several time to turn of restriction then re-apply but to no avail.

     

    The only reason I noticed was because I wanted the user to have access to the printers, and this could only be done by turning off classic menus.

     

    I did not have time to set up or test a new user.

    Friday, February 1, 2008 7:46 PM
  • Hi,

     

    Thank you for your feedback!

     

    I am not sure what happened on this user account. However, it seems the problem is closely related to the problem on this account. One quick solution is create a new one.

     

    BTW, do you have this user account locked? If so, please unlock it when making changes. I haven't tested where the start menu restriction affects the printer access. However, how about creating a shortcut  of the printer icon within Control Panel. Just a thought Smile

     

    Regards,

    Sunday, February 3, 2008 11:27 AM
  • I think that re-creating the user might be the only solution. It is a bit of a pain as setting up a user can be a long process. It is never a simple case of creating a new user as many program need to be tweaked to stop showing initial start up prompts, slowing mouse movement, setting menus, start up programs etc etc.

     

    I had though about adding a shortcut to the start menu, I have basically created a new programs menu for all users rather than use the All Users menus, but since the option is there to show printers in the start menu, I wanted to use it. This, of course, works fine on all the other computer (even this one), but in this case showing XP menus with this user also shows the control panel, and the other control panel applets are not locked.

     

    The user IS locked, but when I wish to make changes I unlock the user. This makes no difference to the behaviour.

     

    Chris

     

     

    Monday, February 4, 2008 10:24 AM
  • Ok, now more confusion. I deleted the user and re-created. I still have the same problem.

     

    Now what?

     

    Monday, February 4, 2008 5:49 PM
  • Still Confused, now EVEN more.

     

    Last attempt a creating a user was through importing a user, so I thought that might cause an issue. This time, I deleted the user, rebooted, then added a new user via Steady State.

     

    I set the restriction to medium then logged in as the user - but I can still get the display properties and if I choose XP menus then I can see and access the entire Control Panel.

     

    Please help....

     

     

    Chris

     

     

    Monday, February 11, 2008 3:48 PM
  •  

    Hi Chris,

     

    How about a new user with different user name?

     

    Was the system setup through Sysprep? If so, please check the following thread first.

     

    SysPrep and locked user accounts

    http://forums.microsoft.com/WindowsToolsandUtilities/ShowPost.aspx?PostID=2008716&SiteID=69

     

    Regards,

    Wednesday, February 13, 2008 5:36 AM
  • Hi,

     

    I didn't think that adding a new user with a different name would resolve anything. I thought that adding a user, even with the same name as a previous user, would still get Windows to create a whole new SID for that user and hence and whole new set of registry entries.

     

    Anyhow, I thought I'd give it a go so I deleted the user (again) and created a new user with a different name.

     

    Same problem.

     

    The limited access user that has been locked down can still access the control panel and its applets.

     

    This is getting a little weird now.

     

    Chris

     

    Monday, February 18, 2008 3:26 PM
  •  

    Hi all,

     

    Has anyone got any further idea about this? I have no idea how to resolve this and I think we've exhausted the obvious.

     

    PS the system has not been syspreped.

     

    Chris

    Monday, February 25, 2008 6:20 PM
  •  

    Hi Chris,

     

    This is Shawn, would you please export the problematic user profile from SteadyState and send the file to me at v-shshao@microsoft.com? If the SSU file cannot be send, you can compress is first.

     

    I can import the user profile on my side and check if the issue can be reproduced or not.

     

    Regards,

     

    Tuesday, February 26, 2008 1:23 PM
  •  

    Hi Shawn,

     

    Did you manage to have a look at the file I sent on the 3/3/2008?

     

    Chris

     

    Monday, March 17, 2008 5:44 PM