"Guest" local account for a child- Local group policy settings

If it was me, I would create a dual boot pc using a virtual hard drive containing a copy of windows. On that second copy, you would have asmin account, and youngster a child account. You would hide the main OS by removing drive letter in vhdx version.

That way your child has no access to main host OS, and even if they screwed up the vhdx file somehow, you would simply reinstate it from a backup copy.

This is a much easier solution than trying to lock down host OS. You do not have to lock down too much on dual boot vhdx file as it would be a barebones installation with only apps you consider useful to child. Hardest part is safe web searching of course.

VHDX is not really going to change anything significantly though except add an abstraction layer that only adds more cumbersome environment parameters.

They still need to address many factors like all they stuff they need to lock down except in a abstract layer its just more work at the end of the day and unnecessary.

OP wants a trimmed down user essentially if they are going to VM or dual boot even then this its still the same sort of requirements just in a roundabout manner instead.

LordCunnart said:

Hi,
I am trying to create a safe bubble for my kid to be able to use my computer (he's 10) on his own and do zero harm to it or have access to anything other than a few set things.
Don't want him to be able to delete anything (bar his created docs), get into any of the attached drives, get into any Program Files, or settings etc etc.
Just effectively his own My Docs, the ability to use some of the programs, the printer and chrome (with strict safe search that he can't turn off or bypass in incognito mode).

I do not want a microsoft account for him or me, or the log in MS Family option, or lots of linked apps and accounts, just everything to be local, like when you work at a company that is really strict on one only having access to exactly what they allow and nothing else.
(I'm still working on how to lock up chrome so it's safe....)

I have created a local Guest account (thank you Shawn Brink for their guide on here)
It has locked out some things but not enough.

I'm in to the Local Group Policy Editor, but there is no easy template option and of course hundreds of individual options.

Is there an overall method to "tick" something and achieve this, or do I need to go into endless individual settings and try to figure out what controls what and change them just for the Guest account?

I'm guessing companies have a template method they apply that does all of this when they set up new starter accounts, rather than line by line.

Thank you!

maybe something here might help ?

Malneb said:

VHDX is not really going to change anything significantly though except add an abstraction layer that only adds more cumbersome environment parameters.

They still need to address many factors like all they stuff they need to lock down except in a abstract layer its just more work at the end of the day and unnecessary.

OP wants a trimmed down user essentially if they are going to VM or dual boot even then this its still the same sort of requirements just in a roundabout manner instead.

I disagree - I have locked down dual boot systems with vhdx files for others and they all liked its simplicity, easy to recover, and totally limits what children can do. It is dead easy to do with minimal expertise.

@cereberus

Unless i am missing something which i don't think i am then VHDX is not going to improve anything significantly. OP is still going to have to wad through mass Group policy and edit it all by hand which is still the whole premise of their situation they are trying to make a locked down non privileged user.

They are also trying to find a one button solution or an easier solution opposed to manually going through all gpedit and locking stuff down manually and can see why there is going to be lots to change to achieve what they are looking for. .

it seems there is no easy solution if it was that easy then OP would of found a guide to do exactly what they are trying to do. I also searched myself on several search engines and using all the tricks like special characters and other regex related searching methods.

I could not come up with anything that is even remotely close to what OP is asking for its a dead end it seems unless they tie into that online family stuff.

I can see why they don't want that because Windows can do all this natively and locally it just seems like its going to be annoying to setup to the sort of level OP is looking for.
Again if it was easy to setup then there would be mass guides about it and even GPO templates to download but the GPO template do not seem like they are utilized much in general if at all and the only templates online are for admin accounts.

the family stuff is also going to mean telemetry so there is that as well nobody wants all that when all they are trying to do is keep their kid safe online.

- - - Updated - - -

IDK you may have to look at alternatives like the MS family thing or third party software.

Even dual booting Linux might be a good option as its really easy to make a non privileged user that can't do anything except a few defined tasks to the depths that you are wanting.

The only thing is if you are not familiar with it then its a massive learning curve but essentially you could have the sort of limited user you are looking for with only a few lines on the cli and it would only take a few minutes.

Like example you could lock them to one folder and they only have Domain over that folder and any sub directories of that folder. So essentially they cannot fk anything up except inside that folder and beyond which you can also can control with your account then you would just have to worry about locking down your browser for child safety and blocking certain domains etc which is the easy part... it can get way more elaborate than this but this is all you would really need.

- - - Updated - - -

Just remember they are asking for a boy in the bubble type scenario cannot do anything except what is allowed in the bubble.

Malneb said:

@cereberus

Unless i am missing something which i don't think i am then VHDX is not going to improve anything significantly. OP is still going to have to wad through mass Group policy and edit it all by hand which is still the whole premise of their situation they are trying to make a locked down non privileged user.

They are also trying to find a one button solution or an easier solution opposed to manually going through all gpedit and locking stuff down manually and can see why there is going to be lots to change to achieve what they are looking for. .

it seems there is no easy solution if it was that easy then OP would of found a guide to do exactly what they are trying to do. I also searched myself on several search engines and using all the tricks like special characters and other regex related searching methods.

I could not come up with anything that is even remotely close to what OP is asking for its a dead end it seems unless they tie into that online family stuff.

I can see why they don't want that because Windows can do all this natively and locally it just seems like its going to be annoying to setup to the sort of level OP is looking for.
Again if it was easy to setup then there would be mass guides about it and even GPO templates to download but the GPO template do not seem like they are utilized much in general if at all and the only templates online are for admin accounts.

the family stuff is also going to mean telemetry so there is that as well nobody wants all that when all they are trying to do is keep their kid safe online.

- - - Updated - - -

IDK you may have to look at alternatives like the MS family thing or third party software.

Even dual booting Linux might be a good option as its really easy to make a non privileged user that can't do anything except a few defined tasks to the depths that you are wanting.

The only thing is if you are not familiar with it then its a massive learning curve but essentially you could have the sort of limited user you are looking for with only a few lines on the cli and it would only take a few minutes.

Like example you could lock them to one folder and they only have Domain over that folder and any sub directories of that folder. So essentially they cannot fk anything up except inside that folder and beyond which you can also can control with your account then you would just have to worry about locking down your browser for child safety and blocking certain domains etc which is the easy part... it can get way more elaborate than this but this is all you would really need.

- - - Updated - - -

Just remember they are asking for a boy in the bubble type scenario cannot do anything except what is allowed in the bubble.

Yeah you are missing the point. Read original post - OP wants to protect HIS OS from accidental damage by child.

A separate vhdx installation virtually eliminates possibility of child deleting stuff he should not as the content will not be available to him.

There is no need to go through megahoops to achieve a simple objective.

Of course OP should still take sensible precautions over safe surfing.