Typically, when I set up a new Windows machine for somebody, I simply allow the default account to remain as an Administrator (when I do my personal machines, I actually take complete control, activating the “Administrator” account and using that for myself). When there is a one-to-one mapping of person-to-account on a machine, then there are typically no issues with things like installing software. The person who uses the machine has complete access to do whatever they need or wish (good or bad).
Recently, I set up a new machine with Windows 7 designed explicitly for use by multiple people. I was tired of my son installing something that ended up on my wife’s desktop, cluttering it to the point where she couldn’t find her software. Of course, this is the result of everybody being an Administrator–installed software gets installed for “All Users” by default. I wanted each user to have the ability to install their own software, separate from anybody else who uses the machine, and only those things that I installed from the actual “Administrator” account to be available to everybody (e.g., printers).
Well, Microsoft’s notion of account control is overly simplified out of the box. There are only two options given to you when you set an account type: Administrator or Standard user. “Administrator” is, of course, the ruler of the machine. There’s pretty much nothing an Administrator cannot do. Of course, it’s a bad account-type choice when you’re letting non-technical people use the machine.
The other option is “Standard.” This would seem like the correct choice for the typical user, someone to whom you could give some control over their own environment without allowing them to affect or damage anybody else’s. However, after much frustration, I discovered this not to be the case. A “Standard” user is intended only to be able to use installed software, not to be able to customize their own environment by installing software. Not acceptable: I needed something with a bit more granularity.
As usual, the functionality I needed was buried a bit deeper. This is what I did to solve this particular problem. If there’s a better solution that I’ve missed, I’d love to hear about it.
[ Microsoft Management Console ]
To configure the permissions in greater detail, you need to access the Microsoft Management Console. You get to this by running the command “mmc” from the Start menu in Windows 7. This will open the Management Console window. For me, it looked like this on the initial run:
In this state, there isn’t much you can do in terms of permissions. From the File menu, select “Add/Remove Snap-in…” (or press Ctrl-M). This brings up another window where the permission settings that will need to be manipulated can be selected and added to the Console. From the Snap-in window, select the “Local Users and Groups” option, and “Add” it.
This will open another window so you can “Choose Target Machine.” It should have the “Local Computer” option selected by default. If not, then make sure that option is selected, press the “Finish” button, and then press “Ok”.
Back at the MMC window, you should now have both “Users” and “Groups” options available that enumerate the accounts and groups that currently reside on your machine.
Selecting the “Groups” tab, you’ll then want to double-click on the “Power Users” option in the list on the right.
This will open the “Power Users Properties” window.
From this window, press the “Add” button. This will open yet another window for adding users to the “Power Users” group.
Hold on. We need to go yet deeper into the oubliette by pressing the “Advanced” button on this panel. This will open the last (I promise) window we’ll need to access, the “Select Users” window. On this window, you’ll want to press the “Find Now” button. This button will cause the list at the bottom of the panel to be filled will all the current Users known to your system.
As pictured, when the list is populated, you’ll want to find the “Everyone” entry, select it, and then press “Ok.” This will take you back to the “Select Users” window, with the object name field filled in with the “Everyone” user.
Again, press “Ok” to return to the “Power User Properties” panel, which will then have the “Everyone” entry in its “Members” list. From here, you can press a final “Ok” to return to the Management Console window with your settings applied.
At this point, you have just added “Everyone” on the machine to the “Power Users” account. This gives them some of the abilities of the Administrator, and in particular, the elevated ability to install software. This does not, however, provide them with the capacity to install software into the privileged directories (e.g., “C:\Program Files (x86)”, and “C:\Program Files” under 64-bit Windows). This is intended behavior in this particular tutorial. I wanted the users to have Administrator-like installation privileges, but don’t want them cluttering up common areas and other users’ desktops. When installing software, each non-Administrator user will need to select an area within which they have read-write permissions (either somewhere under “C:\Users\<login>”, or on some secondary partition, if one is available). This will keep their software modifications only within the domain of their account.
Finally, you will need to save the changes you’ve made to the Management Console session. If you do not do this explicitly from the File menu, closing the window will prompt you to save.
You will need to save this console session in order for your changes to be applied to all the other accounts.