How can I create a Windows 8.1/10 user account that mirrors a guest account

2

I have been using the built in Windows "Guest" account for many years. The main reason why I love the "Guest" account is that I do not have to set special NTFS file permissions on a per folder/file/drive basis. For example, I let my kids login to my PC using the guest account and I am 100% confident that my PC is secure from accidental file deletion/moves. For example, it is impossible for the kids to accidentally delete the "Family Photos" folder or ANY file in ANY directory since they are immediately presented with a prompt for "Administrator" credentials. Fantastic.. way to go Microsoft.. seriously no sarcasm here!

However, I have two major concerns/questions as of late:

With Windows 10, MS has completely did away with the "Guest" account. This alone is enough for me to put my foot down when it comes to upgrading to Win 10. If I manually create a "Guest" user group I literally have to set NTFS file permissions on every single file. I tried doing this on the single folder "Family Photos" and the OS displayed a dialog for updating permissions of each individual file/sub-folder. This took hours. This is not feasible to manage. I even tried creating a new user and ensuring that they only belonged to the "Guests" group. I discovered this account still had escalated permissions that allowed them to delete files and folders. So as far as I can tell, I would need to manually manage every single file/folder on multiple drives in order for this approach work. That would be insane! So my first question is whether anyone knows how to create a "real" guest account the way that the OS manages the special "Guest" account?

Next I have a closely related to question 1. I have recently tried to use the MS Family Safety feature of Windows 8.1. Based upon what I've read, it sounds pretty fantastic and would allow my kids to login with personalized accounts instead of forcing them to share the guest account. However, after adding a child account to the system, I logged in with the child's account and discovered that the account had enough privilege to delete files/folders and do some serious damage to my data! So, I tried using the old Microsoft Management Console (MMC) to manage "Local Accounts" the old school way. I removed the child from all groups aside from "Guests." However, I encountered the same problem as described in question 1 above.

I'm sure there are thousands of people out there that have the same problem/concern. My research leads me to believe that Microsoft has built in logic at the OS level in order to handle the guest account. Why something so logical and simple has been stripped away in the latest OS (Windows 10) is beyond me. And why I can't add multiple users as "guest" accounts also seems to be a major shortcoming in the OS.

In fact, I recall when Windows NT first came out (and ever since,) Microsoft has always recommended not running as an administrator account for security reasons. For example, if I'm logged in as a guest user and I visit a malicious website by mistake, the site will only have the privilege of the current guest user so no damage can be done. This makes 100% sense. So, why is that ability stripped out of the latest OS!?

Any help/suggestions would be great appreciated.

Warren Rox

Posted 2016-01-21T18:31:19.090

Reputation: 121

2

Hmm. What makes you think there is no Windows 10 guest account? 4 Ways to Enable and Disable Built-in Guest on Windows 10 would suggest otherwise ;)

– DavidPostill – 2016-01-21T18:41:23.800

1I was going to answer this question, but there is nothing special about the Guest account, it is simply a built-in User account. It does not belong to a custom user group. You can avoid a user from even being able to see your family picture folder, by putting a new user, in a new user group you create with specific permission by modifying the local group policies, and specifically denying accessing to all files and folders in the parent folder ( requires setting the ACL recursively once). – Ramhound – 2016-01-21T18:43:15.683

When I first tried Windows 10, I did enable the guest account. However, the OS does not allow you to login with the account. Have you tried it? It is possible Microsoft patched this in a subsequent update from the initial release of Windows. Here is an article that clearly backs my findings:http://www.tenforums.com/user-accounts-family-safety/10385-how-do-i-make-guest-account.html

– Warren Rox – 2016-01-21T22:31:38.683

There must indeed be something special about the "Guest" account because it has automatic UAC prompting that the general "Users" or "HomeUsers" group does not. I've tested it myself which is why I posted the question. I understand I can provide a recursive ACL setting on a per folder basis but if I had to do this for each and every folder and HD on my machine it would take hours/days. – Warren Rox – 2016-01-21T22:33:58.190

@WarrenRox - If you used the answer to your question successfully, would you take a look at the errors I got when I tried it and see if you know what the problem is? https://superuser.com/questions/1499669/windows-10-error-applying-security-on-new-account-failed-to-enumerate-objects

– NewSites – 2019-11-06T16:42:38.627

Answers

1

Here's what I did on Windows 10 to provide a user login for some visiting guests: I created a new standard user named "anyone". Then I set the properties for the C drive to deny all permissions for "anyone". (I had to add "anyone" to the list.)

Setting those permissions did run for a while.

Now "anyone" can run programs, including the Chrome browser, which is all I cared about, but has no access to the C drive, so can't even list the folders there. "anyone" still has access to its own Document, Photos, Downloads, etc., but no way to get to them via the C drive.

This is pretty restrictive, which is what I wanted. It may be too restrictive for the case you described.

Marc Rochkind

Posted 2016-01-21T18:31:19.090

Reputation: 197

This is restrictive, but I like your approach. To make this easier to manage I suppose a user group can be created and then multiple users could below to this group as well. I'm going to give this a shot and I'll follow up to see how it works for me. Thank you! I'm still disappointed that the community doesn't understand the complete lack of a great feature that Microsoft has deprecated. Could be the general shift of the younger generation in which privacy is of no concern or cost. – Warren Rox – 2016-10-19T14:13:24.147

@MarcRochkind - I tried your approach and got some error messages. I posted a question about it, and I wonder if you'd take a look and see if you know what's going wrong: https://superuser.com/questions/1499669/windows-10-error-applying-security-on-new-account-failed-to-enumerate-objects

– NewSites – 2019-11-06T16:39:40.727

Asked: 2016-01-21T18:31:19.090

Viewed: 440 times

Active: 2016-07-14T20:37:51.497