1

here's my question: i have a desktop pc Windows 7 powered with two accounts with administrative rights. One of those is used by my brother.

I study abroad so i need to be able to connect to my "home" desktop by VNC protocol to do assistance to my parents or technical service. So i set some DNS and IP configs. Now i'd like to prevent to the other account the network settings editing. I tried with the Group Policies Editor but i didn't succeed. With the other account i still can change DNS and TCP/Ip settings. How can i solve that?

Here's a pic of my Reg Policies Keys:

Thanks in advance for your help

Improve this question
4
  • Why not remove the admin rights for that account?
    – Dave M
    Commented Sep 20, 2012 at 16:24
  • Because i want the other account to be able to install games or apps... There's a way to specify which rights to be prohibited?
    – rdbisme
    Commented Sep 20, 2012 at 16:31
  • In all seriousness... can you just ask your brother not to mess with those settings?
    – JoshP
    Commented Sep 20, 2012 at 17:21
  • Already done. But anyway is there no way to do what i'm asking? :D
    – rdbisme
    Commented Sep 20, 2012 at 17:25

4 Answers 4

Reset to default
2

You could go a different route with a kind of "unmanaged" solution. That is, try TeamViewer or GoToMyPC, or something like that.

I have used TeamViewer to be able to have unattended access to a remote computer. That is, by default, many of these remote access softwares require someone to be on the other end to "Allow" you to take control of the computer (a good default). They may all allow for the unattended access, but I only have personal experience with TV.

Anyway, the whole point here is that there is no IP or DNS configuration to make it work, and it runs as a service so it'll be there after a restart or during a logout.

Lastly, it's free for personal use.

I sound like I'm selling this stuff lol. I'm not. It's free, and I use it on a regular basis. It's just quite useful :)

Improve this answer
1
  • Thanks for you answer... i already knew TV and practically is something similar to reverse VNC connection to a listening viewer. If i can't succeed in avoiding network configuration settings editing i will consider this solution. Thanks... Anyway it seems very unbelievable that there's no way to do what i'm asking. Probably i will have to decrease rights level of the account hoping there's still a way for a non-administrative account to install softwares...
    – rdbisme
    Commented Sep 21, 2012 at 9:59
2

Your problem is not technical, but a people problem. You do not have physical access to the machine, and others do. If you can't trust them to do the right thing, they might re-install the OS on the machine for all you know.

Perhaps they were having a problem, and called the ISP for help, and they suggested that change.

Tell your brother and parents to not change the IP settings if they want you to have access. When your parents need help, if you can't do it, tell them someone with admin access must have disabled your ability to help (be nice about it.)

If you have other reasons to access the computer as well (need files or whatever,) explain your need and what they can do to fix it. If the files are of a nature that you'd rather your family don't see, well, I can't help you there ;-)

Improve this answer
1
  • I see your point and i agree with your suggestions. My point was just to avoid to explain how to newly set IP configurations to tech-outsiders by phone. Or, differently, how to set a reverse VNC connection. ;)
    – rdbisme
    Commented Sep 20, 2012 at 17:00
1

I am not familiar with this policy, so I dont know the answer off the top of my head. But, in my opinion, you probably shouldnt do this. What if the network settings get changed by malware, or corruption, or even by you (accidentally)? There would be no way for you to remote in and fix it, nor would anyone locally be able to correct it either. Limiting local administrative rights, just isnt a good idea.

Improve this answer
3
  • Ok... but i also need to prevent from editing because even in this case i won't be able to connect to my desktop. So what could i do? Just hiding it maybe... Is there a way to hide network properties?
    – rdbisme
    Commented Sep 20, 2012 at 16:16
  • 1
    Why do you want to do this? Has someone broke the network settings before? It seems to me you are trying to be overly cautious.
    – Keltari
    Commented Sep 20, 2012 at 16:18
  • Ya it happened just today, from manual configured IP settings someone changed in "Automatically get IP settings etc..." letting to the router the IP distribution organisation and preventing me from connecting directly. And i have a ISP-restricted router so i can't set automatic static IP assignment from it.
    – rdbisme
    Commented Sep 20, 2012 at 16:30
0

Remove the admin status from the other account. There is nothing else you could do to prevent an admin from reclaiming the permissions you're trying to revoke. If you can't (or won't) revoke the account's admin status, then don't bother trying to restrict the account. The attempt is futile.

Improve this answer
3
  • Thanks for your answer... I think i will do what you suggest. Is there however a way to allow to a simple user account to install software?
    – rdbisme
    Commented Sep 21, 2012 at 10:01
  • Not really. And it's not sensible, too. "Installing software" can mean a great many things, including changing system settings (virtually every installation will require write access to the HKLM hive of the registry), creating system services, or installing installing drivers. Where would you draw the line? Even if you were able to restrict that person to creating new files/folders in %ProgramFiles% and new registry keys/values in HKLM, that would still affect all other users on the system, so you shouldn't grant these rights to someone you don't trust.
    – Ansgar Wiechers
    Commented Sep 21, 2012 at 11:39
  • The fact is not "trusting". The fact is avoiding noob actions. Anyway i will do as you suggested. Thanks everyone.
    – rdbisme
    Commented Sep 21, 2012 at 13:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .