Home | Forum


  Fixes: 43
  Resolutions: 20353


In the same category
Articles:
  Config\System Mis...
  Cleaning the Boot...
  XP Faxing

Quick Fixes:
  
CD DVD Issues
    CD-Drives missi...

  
Drivers
    dlbcserv.exe ha...

  
Multimedia
    ''An Internal A...
    ehshell.exe Com...
    Windows Media P...
    Media Center Cr...

  
Office
    Cannot start MS...

  
Registry Tweaks
    Speeding up the...
    Folder Options ...
    Unable to chang...
    System Restore ...
    
    Huge gap in Add...
    Registry editin...

  
WinXP
    16-bit Subsyste...
    Data Execution ...
    System Restore/...
    Double clicking...
    Enable all defa...
    Folders open in...
    SFC /scannow ca...

Add new article


System Administrator Restrictions

System Administrator Restrictions

Resolutions:2 | Views:19700
Comments [4]

Batch file attached: clearPolicy
Description: This batch file removes all policy settings for the current user and recreates the default ones. It also removes machine level folder options and system restore restrictions.

*** Note: The information contained in this article should be used with caution or as directed by a technical support professional.

Who is this Administrator?
You want to make a change to your operating system one day, like for example you want to use the registry editor to clean uninstall a program and instead of seeing the registry editor window, a message comes up and tells you that your Administrator has disabled registry editing:


Now you are probably wondering who the heck is this Administrator and what is he doing disabling your registry. Last time you've checked you were the sole owner of the computer and you don't remember making any changes that could have caused this.

Did a hacker become the owner of your machine without your knowledge?

If you are not using a corporate computer and you are suspecting this you are probably very close to the truth. This article unravels how Windows restrictions work and how are they used in good or malicious purposes. You'll learn how to resolve this problem if it happened to you and how to prevent an attack from happening in the future using the very same Windows restrictions that caused the problem to begin with.

A windows restriction is also called group policy. The reason behind the naming is that Microsoft has created these settings to be able to manage permissions for large groups of users inside corporate networks through the Active Directory system.

Let's take for example a company that has two main user categories: Sales and Technical Support. You want to protect the users in the Sales department from unintentionally harming their computer so you disable the use of the registry editor and the command prompt for their group. At the same time you know that the Technical Support people need the registry editor in their work so you leave the setting enabled for them.

Tip: If you are using XP Professional, Media Center or Windows Vista go to Start, click on Run (or press the Windows Key+R) and execute gpedit.msc. You will now discover a brand new universe of hundreds of settings that if you are technical enough and like to play with your computer, you'll probably start using right away ;).

Windows XP Home edition users will not be able to use the gpedit.msc utility however they can still use the registry to add or remove group policy restrictions. These settings are located mainly in four registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\Software\Policies


Here's how to add a group policy to disable folder options, for example:

Navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

Create a new DWORD entry named NoFolderOptions.

Set the value of this entry to 1

If you have two users on your computer: you and your teenage always downloading music and movies child, for example, you will have to login into his account and make the modifications under the User Configuration (HKEY_CURRENT_USER) category.

Why would viruses change these settings?
Well to prevent you from removing them that's why. The indonesian e-mail virus Brontok disables the folder options in order to prevent the user from enabling "Show hidden files and folders" when looking for the virus on the hard drive. It also disables the registry editing so users cannot remove the group policy that prevents access to folder options.

Even if your antivirus removes Brontok the Windows restrictions remain since antivirus programs don't interfere with windows restrictions or else computers on corporate networks could not run an antivirus.

For a very long time now people from all over the world have used the My Fixes Folder Options Missing article and the fOptions utility to remove the damage cause by Brontok.

Our well tested fix for these types of issues is as follows:

1. Sanity check. Use the HijackThis and the My Fixes HJT Analyzer to remove eventual viruses and re-enable the registry editor
HijackThis is an excellent tool for removing viruses and spyware. We have created a automated tool that will tell you which Hijack This entry you can keep or remove and you also have the option to ask help on the My Fixes Forums in the process. If you want a sanity check you can get started by clicking the HijackThis icon on the left.


2. Remove the restriction
Now that your system is clean you can remove the problematic policy. Easiest way is to run the attached batch file called clearPolicy. It removes all user level restrictions as well as folder option and system restore system level restrictions.

If there's a group policy restriction that we can't fix please add a comment to this article and we'll be sure to find the registry key for it and add it to the clearPolicy batch file.

How to prevent this situation from happening?
* Use a limited user account. You can create a special user account for installing applications and making modifications to the operating system which you can call Admin and every time you need to install something you can logoff and switch to the administrator account. This way there will be nothing that will install without your knowledge.
* Do not download freeware programs before doing a search on Google for the name of that application associated with the word spyware.
* Have an antispyware program installed and do a full system scan weekly. Do not exaggerate with the number of security programs that you install. There is such a thing as too much security.
* Have an antivirus and a firewall installed.If you don't have a antivirus of your own you can download AVG Free: http://free.grisoft.com . For a free firewall windows has one built in but if you want more you can use Zone Alarm completely free.

Hope this answered your questions regarding the windows restrictions and how they work. If you require more help or information join the My Fixes forum and post a topic under the Spyware/Virus or Security category. You can begin by registering here: http://www.myfixes.com/forum/profile.php?mode=register

   Click here if this resolved your issue.

Submitted by Paul Ionescu
Last modified 2007-10-10
Submit Comments
Article Rating: Low High
Your Name:
Your Comments:
     2005-2007 Paul Ionescu, All Rights Reserved | Privacy