Windows 7 God Mode

[AyatollahPies]

Superb find young man, though this isn't going to help me with Windows 7 exam revision.

Don't think they will accept "Go to GodMode folder on desktop" as a solution to everything.

[ronnoco]

brill!....cheers!

[RabbieBurns]

You can also add this to the quicklaunch on the taskbar to make it even more accessible:

Right Click on the taskbar and go to >Toolbars>New Toolbar.

Paste this into the window: "%appdata%\Microsoft\Internet Explorer\Quick Launch" (without quotes) and OK.

Next unlock the taskbar in the usual fashion and shimmy the quick launch bar to your preferred area.

Right click on the word Quick Launch and untick "Show text" and "Show title"

You can now drag the godmode to the quicklaunch.



(thanks to originofsymmetery for the how to enable quick launch info he posted here some win 7 annoyances)

[elsiegee40]

.... and how do you stop the little darlings from using this whizzy tool?

[JJonas]

.... and how do you stop the little darlings from using this whizzy tool?

I was thinking that exact same thing.

[Domino]

They should be locked out of using any of it through group policy anyway right?

[sted]

just tried that on an 08 (non r2) sp2 x64 and it just caused explorer to crash repeatedly every time explorer opened the desktop folder had to log in as another user and delete the folder with dos lol

[elsiegee40]

They should be locked out of using any of it through group policy anyway right?

They should, but has anyone tested this yet?

[RichB]

Evening guys and girls just been having a mess around with this tool....

two things... firstly you can name the folder anything you want i.e admin folder then the string!

secondly when you save this folder on your usb pen and access it on a win7 pc i.e in a computer room everything WORKS... even with group policies in place!

Having a little play to stop it before the lovely kids find this out!

EDIT - stand corrected was using a power user account, only very small things still work like display settings... but still could be a worrie! Also asks for the admin log in details to carry on if the GP stops you, not a access denied message, kids could be locking out some admin accounts!

[llawwehttam]

I saw this early this morning when I checked my RSS feed from CNET.

Haven't had a chance to try it out but it sounds good.

[SYNACK]

@elsiegee40 - This tool only provides lots of links in a single place for existing control pannel applets. These are still locked out in the smae way with group policy so if your system is already locked down for this then they will still be limited by policy.

As the users should be limited users anyway even without any further restrictions they should only be able to change little things that affect thir profile only, these features are easily blockable in GP.

As to the credentials prompt, this is standard behaviour for Windows 7 if it runs up against a UAC prompt in limited user mode and is quite handy if you need to change something in their profile directly. This would only result in locked out admin accounts if they know that the admin username was. This is one of the reasons to change the default administrator logon name as even this can get locked out by students attempting to log on to it directly if precautions are not taken.

[DaveP]

I don't have Windows7 myself so I can't test this but apparently there are 'lots of God modes' in Windows7.

Link: Windows 7 has lots of 'GodModes'

[somabc]

MS Article - Canonical Names of Control Panel Items

[RedRebel]

Btw this works in Vista too

Edit: though I have read it doesn't work in Vista x64 - not sure about W7 x64, will try it in a bit.

Just tried it on Win7 x64. It works.

Nice tip, this is the dog's danglies

[srochford]

As to the credentials prompt, this is standard behaviour for Windows 7 if it runs up against a UAC prompt in limited user mode and is quite handy if you need to change something in their profile directly. This would only result in locked out admin accounts if they know that the admin username was. This is one of the reasons to change the default administrator logon name as even this can get locked out by students attempting to log on to it directly if precautions are not taken.

Unless you've changed things, you can't lock out the administrator account (SID ending -500) - I think that this is done in part to protect you against DOS attacks.

There are lots of other things a user could do get prompted with a username/password box - just try connecting to the admin share on a remote machine, for example - and a malicious user could lock out any account with this (not just administrator accounts)

Changing the number of bad passwords allowed before an account is locked out can be a good idea. I've read suggestions that you can set it to a huge number (>100) - this is the sort of number which will defeat an automated attack (just going through an entire dictionary) but won't cause a problem for a user who's forgotten their password and is trying each of the passwords they regularly use and will probably also mean a "bad" person will get bored before the account locks out.

Any changes that users can make (eg display settings) should be specific to that user; logging on as another user will get things back to normal and if your users have mandatory profiles then even their personal changes will be cleared up at logoff.