Group policy has locked out ALL programs in limited account

By danielk ·
I am trying to setup XP Pro with two accounts, one admin and one limited. I want full access to everything for the admin account but only access to the programs I specify for the limited account. I have tried to create a group policy to do this. I set the default to disallowed and added an exception for each program but in the limited account it says "access has been blocked due to a group policy" or something similar. If I change the default back to unrestricted it says "you must be a member of the administrator group to run this program". I have followed the intructions at Microsoft's site but I still can't get the programs to run under the limited account unless I "Run As" an administrator. How do I get this to work? This is a brand new PC so I am willing to reinstall XP and start from scratch if necessary.

Additional information:
When default is disallowed most programs will not run, Notepad, Command prompt, etc. but Internet Explorer (which I would like to block) still works.
When default is set to unrestricted all programs installed with XP work, just not the ones I installed afterwards.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Which profile can access those apps?

by Tig2 In reply to Group policy has locked o ...

The only time I have been able to selectively block or permit access to a program is if it is installed in the "All Users" profile.

I may be going up the wrong path with this- HAL or Nick will have better input, I think.

Collapse -

Admin has full access, limited has access to nothing

by danielk In reply to Which profile can access ...

Admin always has full access regardless of group policy settings (this is what I want). Limited account can't run the new programs. How do you install in the All Users profile? I didn't even know there was such a thing.

Collapse -

The answer so far...

by danielk In reply to Group policy has locked o ...

My programs were not running because they are "legacy" programs. Changing the compatibility mode to Windows 2000 lets them run without being an administrator. However, I still couldn't launch them from the desktop, only directly through Explorer. As .lnk files are considered executable they were being blocked by the group policy. Once I removed the LNK extension from the list of executables it worked perfectly! However, notepad, calc, etc. still run now even though they shouldn't and I don't want them to. Any ideas?

Collapse -

Same Problem here.

by rocketero In reply to Group policy has locked o ...

I see nobody had replied to this post, and right now I am having the same issue, just a bit different in my setup:

I have 2 computers connected through a network hub/router , one computer is a windows server 2003 and the other is a WXP PRO client

When I log in the client computer as a LOCAL administrator I can do anything, but when I log into the client computer (WXP) as a domain user of the W2K3 Server I get the message you are having and I can not run some programs or install another ones, all of them tell me that I need to be in the administrator group (in the local computer) which I already am.

Anyone cares to give some advise to this?

Collapse -

Couple Questions

by ctmcswain In reply to Same Problem here.

I see that you say that you only have two computers, 1 server and 1 client. I am assuming that you have joined the client machine to the domain that you created on the W2K3 server. Have, you setup any group policies on the Domain Controller? Are there any local policies on the client machine? Also have you added the domain user account to the local machines Admin group? Try those things and see what you come up with. If that doesn't work out, I will try to help further.

Collapse -

advertised vs published

by CG IT In reply to Couple Questions

one of the features of Active Directory and Group Policy is to provide users with applications. you can advertise applications or you can publish applications to specific users and computers.

here's a MS KB article on publishing or advertising applications using group policy

Related Discussions

Related Forums