Ever felt like you’re losing control of your PC? If you share it with other users – family members or friends, for example – it can be a frustrating experience.
First, there’s the need to keep your data private from other people, then there’s the worry about what they might be doing behind your back. Windows has tools for managing children’s use, but what happens to a PC that’s shared between a group of adults – even those who should know better?
In this tutorial, we’re going to examine two main ways in which you can regain control of your PC. The first is through user accounts. We’ll reveal a technique whereby everyone – including yourself – gets their level of access reduced on a day-to-day level, tightening security, and preventing the haphazard installation of software and injudicious tweaking of system settings.
- Need a new PC? Consider buying a Surface Pro 3
The secret to this tip is to create a master Admin account – password-protected, of course – which is required whenever any elevated access (including the installation of many programs) is required.
We’ll also look at a tool those running Windows 10 Professional can employ in conjunction with user accounts – namely the Local Group Policy Editor – to tighten things further, giving you control over restrictions on a user-by-user basis.
Then we’ll examine how you can control access to individual files and folders through permissions – after reminding you to take precautions, we’ll delve into how you can make people’s folders private, while blocking their access to other parts of your system.
There’s even time for troubleshooting file permissions issues (both those caused by your f ddling and those created by Windows itself), finding out the best way to transfer to a new PC, and integrating your OneDrive storage better into your user folders.
The end result? A PC that may be shared with others, but which remains your own, is under more control and better secured.
If you frequently have fleeting visitors in your home, you may wish to provide a limited user experience for basic tasks such as browsing the web.
For reasons unknown to us, Microsoft has disabled the Guest account, but it’s relatively straightforward to get back, and the quickest way is via the Command Prompt. To create a guest account named Visitor, and assign it to the Guest account group, f rst right-click the ‘Start’ button, choose ‘Command Prompt (Admin)’, then type the following:
$ net user Visitor /add /active:yes
$ net user Visitor *
Press Enter twice when prompted to add a password, so it stays blank. Now type:
$ net localgroup users Visitor /delete
$ net localgroup guests Visitor /add
The first command removes the Visitor account group (all new accounts are allocated their own group of the same name), while the second then assigns it to the Guest group.
Yes, despite the fact that Microsoft has removed the Guest account, it has kept the Guest group alive, which basically offers exactly the same level of limited accessibility as the Guest account provided in earlier versions of Windows.
Once complete, your guests can be directed to the Visitor account. They can use a limited set of apps, but will be denied access to other parts of your system, such as Settings and the Microsoft Store.
You can still install desktop programs, however – with the requisite Admin password and/or PIN, of course
Levels of access
Let’s open with something that might seem counter-intuitive – the first step to reclaiming ownership of your PC is to reduce your own level of access to it.
Yes, you heard right – one of the most effective ways in which you can secure control of your PC is to downgrade your user account to that of a Standard User.
Why would you do this? First, it reduces your PC’s exposure to potential harm – now, instead of simply waving through requests for elevated access with a simple click of the mouse, you need to invoke a separate Administrator account (and password) instead.
The inconvenience of doing so is outweighed by the fact that it forces you to pause and confirm what the dialog is there for – no more lazily waving through something malicious by mistake.
It’s also essential if you share your PC with others – by downgrading everyone, they’re forced to use a secure Admin password (if you’ve shared it), or ask your permission before cluttering up your PC with more unwanted software.
The first step of this process involves creating a new Administrator account – click ‘Start > Settings > Accounts > Family & other users’, then click ‘Add someone else to this PC’ under ‘Other users’.
Choose ‘I don’t have this person’s sign-in information’, followed by ‘Add a user without a Microsoft account’. Name the account ‘Admin’, then enter a secure password, before clicking ‘Next’.
With the account set up, you next need to make it an Administrator account – select the account under ‘Other users’, and click ‘Change account type’ to convert it to Administrator.
You’re now ready to log off your own account and change it. Before doing so, consider switching to a Microsoft Account. It makes installing apps from the Microsoft Store easier – they’re sandboxed to your local account folder.
Sign out of your account, and log in as Admin (wait while the account is first set up). Return to the ‘Family & other users’ screen, where you’ll see your account listed.
Select this, click ‘Change account type’, then reduce it to Standard user. Repeat for all other users of your PC. Now, when you have to perform any administrative tasks, you’re prompted to select an Administrator account (‘Admin’ should be pre-selected by default), and enter its password to proceed.
You can make this step a bit easier by assigning a more memorable PIN number, and entering that instead – do this now via the ‘Sign-in options’ screen (click ‘Add’ under ‘PIN’).
Once done, sign out of Admin, and log back into your own account. For additional security, type ‘UAC’ into the Search box, and click ‘Change User Account Control Settings’ – you’ll see a security prompt, requiring you to enter your Admin password or PIN.
Verify the slider has been set to the top level. One of the most visible ways in which your access has been downgraded is seen when you open the Settings app – it’s now less functional than it was before, because all system-wide settings are now off limits.
To get at them requires logging into the Admin account directly (do this via the Start menu – click your user picture at the top of the menu, and select ‘Admin’ to switch user without logging out). Or does it?
In fact, most system-wide settings remain accessible via the classic Control Panel – just enter your Admin password to access them when prompted.
You’ve purchased a new PC and want to transfer your stuff across – copying data is simple, you can either set up a shared folder on your new PC and shunt everything across, before moving it to its new home, or use an intermediary device, such as external hard disk.
That’s all well and good, but what if you want to move across key user settings, and maybe even programs, too? If you use the same Microsoft Account on both old and new PC to log into Windows, then some tweaks will come across, but if you’re looking to simply replicate your old setup on your new PC – including desktop programs and carefully crafted settings – you’ll need to get out your wallet and employ the services of a third-party program.
The best tool is PCmover (opens in new tab). The Express edition can move files, settings, and user profiles, but if you want to move apps, you need PCmover Professional.
Transfer via the supplied Ethernet cable, or use an external drive as an intermediary – but this greatly lengthens the process.
An alternative is EASEUS PCTrans (opens in new tab), which comes in Free and Pro versions.
The former enables you to transfer data, plus two apps (the Pro has no limitation). If you want to transfer software that’s been activated, you need to find out how to deactivate it on your old PC, before reactivating it on your new one.
Also, don’t rush to dispose of your old PC once you’ve transferred everything across. Make sure it all appears to be in order, and consider taking one last fail-safe drive image of your old PC using Macrium Reflect Free (opens in new tab), ensuring that you can browse the image’s contents to grab anything that might have been left behind.
Use Group Policy settings
If you’re running Windows 10 Professional, you can set further restrictions on a user-by-user basis using the Local Group Policy Editor – launch gpedit.msc to take a tour.
It’s a little baffling for first-time users, so take the time to explore its settings, and make sure you take a drive image before you begin – it’s very easy to lock yourself out of your system.
Most Group Policy settings are basically Registry edits, and if you’re running Windows 10 Home Edition, you can emulate most of these with the correct setting. Thankfully, Microsoft has provided a handy reference guide (opens in new tab) containing each policy’s setting and its equivalent Registry entry - select ‘Windows 10 ADMX spreadsheet.xlsx’ when prompted.
By default, gpedit.msc shows the Local Computer Policy settings, which means the settings are applied across your entire PC. For a more granular approach, involving a single user or group, you need to apply a customised Local Group Policy instead.
Press [Win]+[R], type ‘mmc’, and hit [Enter]. Choose ‘File > Add/Remove Snap-in’. Select ‘Group Policy Object Editor’ from the left-hand pane, and hit ‘Add’.
Click the ‘Browse’ button, and select the ‘Users’ tab. Choose your target user (yourself, say) or group (‘Non-Administrators’, for example), and then click ‘OK > Finish > OK’.
Now choose ‘File > Save’ to save a copy somewhere accessible (going forward, you would double-click this file to view and edit it).
With the template in place, you can now start to customise settings or restrict access. The Administrative Templates section is a good first port of call. Select a section, then click on setting in the right-hand pane to read a description of what it does.
Double-click it to make a change – this usually means enabling or disabling the policy, but sometimes you also get other options based on your settings, too.
Make a note of the initial setting (typically ‘Not configured’), in case you ever need to reset your policies.
If you want to block access to a specific program that’s been installed, expand ‘Windows Settings > Security Settings > Software Restriction Policies’, and choose ‘Action > New Software Restrictions Policy’.
Select ‘Additional Rules’, then ‘Action > New Path Rule’. Click ‘Browse’ to select the parent folder of a program you wish to block, leave ‘Security level’ set to ‘Disallowed’, and provide a description to help identify the rule going forward.
Click ‘OK’. Select ‘File > Save’, then close the window, and reboot your PC. Test the rule by logging into the user account in question, then try launching the program – you should see a message telling you it’s blocked.
Sadly, this granular level of control is restricted to Windows 10 Professional users only. However, you don’t need to try to enforce Family Safety on your 30-something lodger in order to restrict their access to programs – you can achieve much the same thing through the use of permissions.