Using Windows 7/8, possible to grant all the privilleges to a user except installing new applications?

-1

I thought it was simple. Just create one standard user account and they can do all the things they want except installing new apps. However to my surprise, even for small tasks like deleting App shortcut on desktop, it asks for admin password.

Is there a work-around for this? I dont mind creating another admin account for this purpose, as long as applications cant be installed using that new admin account.

Currently using Windows 8 Pro x64 for a single desktop in my home. and sorry for being naive.. i dont know the basics of Windows UAC :/

Sarah S

Posted 2013-07-19T20:49:46.877

Reputation: 1

Isn't C:\Program Files set to only allow administrators to write there by default anyway? Exactly how do you define "installing new applications"? (The answer may very well be different based on exactly what you are talking about.) – a CVn – 2013-07-19T21:14:36.193

1for desktop shortcuts, the reason is because they are on the public desktop (show for all users). you can set write priv for your users on c:\users\public so you can delete them without issue. win7+ uses uac prompts when a user attempts to access files they don't have permission to, so by tweaking the permissions, you remove the uac check. you can also turn down the UAC prompt sensitivity, but I don't know how this would effect a non-admin-capable user. – Frank Thomas – 2013-07-19T22:30:19.413

Answers

You can adjust UAC in a couple ways to make it right for you.

first, check out the UAC Settings dialog http://support.microsoft.com/kb/975787

based on your request, I'd set it to always notify, but set file permissions on resources you want to allow users to modify/delete. for instance if you allow your users permission to modify/delete stuff on c:\users\public\Desktop, they can delete desktop icons that appear there without a uac check.

alternately, you can reduce the UAC settings but tighten the permissions on things you want to protect like c:\program files (they are already restricted to admin IIRC)

Frank Thomas

Posted 2013-07-19T20:49:46.877

Reputation: 29 039

The level of permissions that you are wanting to access fall in line with windows group policy permissions which you can configure on a windows server installation.

You mentioned a home computer so I am not sure this is helpful beyond being informative. As far as I know there is no way to enforce policies on a home installation.

Just another caveat of windows.

Jason Bristol

Posted 2013-07-19T20:49:46.877

Reputation: 776

Thanks for the prompt reply Jason. That was quite informative and disappointing as well. Any reliable Freeware/Paid app that you can think of for this purpose?? – Sarah S – 2013-07-19T21:05:48.037

There is no freeware that I can think of. A lot of the policies invoke kernel level commands which can only be accessed by the operating system. Kind of stuck going through windows to do this. I am running win7 ultimate and I do have access to group policy permissions. Try pressing the start button and type "edit group policy" you should see an item to edit policies. Once your in there if you select folders under "Administrative Templates" under "User Configurations" you can set some policies that may prove helpful. Best of luck – Jason Bristol – 2013-07-19T23:17:01.643

The user has Windows 8 Pro, so Group Policy Editor is an option. – bwDraco – 2013-07-19T23:55:30.770

One thing to look into is AppLocker. It allows you to prevent users from running apps that are NOT in a list of applications you pre approve. I highly recommend it.

MDT Guy

Posted 2013-07-19T20:49:46.877

Reputation: 3 683