# Create user with limited admin rights



## Vaseer (Jan 12, 2013)

Is it possible to create user account with limited administration permissions?
I would like to create user with permissions for installing and removing programs and access to "basic" setting.
It must not have access to Local GPO, Registry... - "advanced" settings.

OS: Windows 8.1 x64 Pro

Please advise.


----------



## Masterchiefxx17 (Feb 27, 2010)

The only way to do this would be to control the PC via Group Policy. There is no other way of limiting someone's administrative power.


----------



## Vaseer (Jan 12, 2013)

I already tried with Local Group Policy. I created new Group - Support Users and created user Support. User Support is member of Support Users group. I assigned some permissions to Support Users group, but can't achieve what I want.

If I in gpedit > User Rights Assignment assign same permissions to Support Users group and Administrators group, they don't work the same.
I have feeling, that I am missing something (that there are more rights/permissions that Administrators group has, that is available in gpedit > User Rights Assignment).

Are there any instructions/tutorials how to achieve what I want? So far I couldn't find any.


----------



## spunk.funk (May 13, 2010)

You cannot create a limited user that can install software. They would need to be an Administrator user to make changes to the computer (eg) install or uninstall software. A limited user cannot make changes to the computer without an Admin.


----------



## Vaseer (Jan 12, 2013)

Is there a way for administrator A to limit access to Registry, GPO, etc for administrator B, without possibility for administrator B to enable access back?


----------



## spunk.funk (May 13, 2010)

There are certain things you can do in the GPO that limit the user, but since they are an admin, they can change them back. The only way to totally limit an admin user is if the computers are part of a Domain, and then you can control the user in the Domain Controller Active Directory.


----------



## LMiller7 (Jun 21, 2010)

Vaseer said:


> Is it possible to create user account with limited administration permissions?
> I would like to create user with permissions for installing and removing programs and access to "basic" setting.
> It must not have access to Local GPO, Registry... - "advanced" settings.
> 
> ...


Short answer: No.

A limited administrator account is a contradiction in terms. By design an admin account has the highest privileges of any user account. All admin accounts are equal, and that includes the built in Administrator account. You can impose some limitations on an admin account but this is like locking doors where the admin has all the keys. This ability is inherent in an admin account and cannot be taken away.

There are fundamental differences between an admin and non admin account which cannot altered by means of GPO, registry settings, or any other method.

To impose true limitations on an admin account requires a higher authority than an admin account. On a computer that is not a member of a domain there is no such authority. In a domain limits can be imposed by a Domain GPO which a locla admin has no access to. But of course a domain requires a domain controller running on a server OS.

But even then much of what you want would not be possible.

A basic concept in Windows security model is that there would be one or more trusted administrators who have full control over the computer. Trust is essential. If an individual cannot be trusted with the full privileges of an admin account they should not be an admin. It is as simple as that.


----------

