Written by I used Version 1 of Windows Live Family Safety when it first came out. It was an idea long overdue: hosted control over which websites, IM contacts, and email addresses your kids are allowed to use, with some built-in monitoring.
When I upgraded to the new version in August of 2009, it no longer worked for me. Why? Because I’m something that Microsoft apparently doesn’t think should exist: a home user, running a Windows Server Active Directory Domain on his home network.
So for those of you who are (like me) geeky enough to want the power and flexibility that comes with having all your family members manage their logins on various machines throughout the house with a Windows Domain, and who are also responsible enough parents to limit what your kids can access online and depended on WLFS to manage it, then you were probably pretty upset (also like me) when the new version of Windows Live Family Safety broke the monitoring of domain accounts.
I do, however, have a workaround. Of course, like most workarounds, this one shouldn’t be needed… and I sincerely hope it won’t be when Windows Live Family Safety is updated next. But until then, following is what I did to get back monitoring of domain accounts. It works because the Windows Live Family Safety management interface will display domain accounts that are set as Administrators on the local machine.
This workaround assumes you’re using a Windows 7 client, but should work similarly for Vista.
- On the computer(s) that your kids use to get online, sign in as you (assuming you have Admin privileges on that machine, which you should if you’re a domain admin and this machine is attached to your domain).
- Go to Control Panel, then click Change account type under User Accounts.
- In the list of Users for this computer:, make sure that domain accounts for you, as well as anyone you want monitored by Windows Live Family Safety, are listed. If any are missing, click Add…, put their domain username in the User name: field and the name of your domain in the Domain: field, then click Next.
- On the next screen, which asks What level of access do you want to grant this user?, select Administrator. Do this for each of the accounts. Keep in mind that you are not setting them as an Administrator or Domain Administrator for your entire domain – you’re simply allowing their domain account to be part of the Administrators Group on the local machine (and only temporarily, at that).
- If you added your own domain account in the previous step (and it’s likely you did), press OK until the User Accounts snap-in closes. You’ll be prompted to log out and log back in so that the local machine can apply your local Administrator rights. Go ahead and log out, log back in, and go on to the next step.
- Once all domain accounts (including yours) are listed as Administrators on the local machine, run the Windows Live Family Safety application. Sign in as the parent with your Windows Live account.
- Check the box next to each child you want to monitor, then click Next.
- Match all the children’s names to their Windows Live accounts, then click Next.
- The Windows Live Family Safety management application will think for a bit, then you can exit.
- Go back to the User Accounts snap-in and select Properties on each of your kids’ accounts, select the Group Membership tab, and change them from Adminstrator to Standard user. This step isn’t technically necessary if there’s some strange reason that you’d want any of your kids to have Admin access to this machine, but as I’m sure you’ll agree, Domain Admins like us are control freaks, so I’ve got them all set as Standard user in my setup.
- Test your sweet workaround by logging in as your kid(s) and verifying that their previous Windows Live Family Safety settings are intact and that they can’t browse anywhere they shouldn’t.
- Kick back, pop open a Mountain Dew, and revel in your geek superiority. Just because THEY say you should run Windows Home Server like a sissy boy, instead of a full-on domain controller like a real man, doesn’t mean you have to!
If this workaround works for you, please let me know in the comments. If your implementation required some tweeks, I’d love to hear that, too!
Related posts:
- Migrating an Active Directory Domain Controller from Windows 2000 to Windows 2008 R2
- Upgrade (or Downgrade) Windows 7 Ultimate or Vista Ultimate to Windows 7 Professional or Windows 7 Home
- Dual Boot Windows 7 and Fedora 12 Linux with Dell Utility and Recovery Partitions
- Activate Windows 7 God Mode
- Using the Local Default Gateway with a Windows VPN Connection
Thanks it worked great for my XP PRO computers except on XP you have to use control userpasswords2 or t
Hi. Thanks for the excellent article. It’s worked great for a couple of machines on my network but i’m having great difficulty with a third. Despite 2 complete rebuilds of windows7 and adding the kids into local admin I stil can’t get WLFS to see them as local administrators? Any idea? Do you know how to get WLFS to do that initial check thing that it does right at the very start.
Anyway i’ll keep plugging away. If you have any idea i’d love to hear.
well it almost worked for me — unfortunately FSS doesn’t seem to want to ever refresh the filter without an unspecified error 80004005 so whatever settings are there on install are stuck there
why they make this functionality so difficult and/or impossible within a domain is just beyond me..
Like dawsonweb I also couldn’t get Family Safety working on my new Windows 7 (64bit) box while it works fine on my other XP and Vista machines. I finally did get it working by inserting an extra step – after adding the kids domain accounts to the local Admin group I then logged in once as their domain users to have the local machine create a profile for them. Once I did this then they showed up in the Famiy Safety software for me to select.
I also noticed that if I removed them from the local admin group after I set them up (step 10) they no longer showed up in the Famiy Safety Filter (when logged in as a parent to check who is being monitored) – but Family Safety still knows who they are when they log into the machine.
Thanks for the article Steve – it pointed me in the right direction and gave me incentive to keep trying to get it to work
I found that it also didn’t work on new accounts until I logged in to each account one time. Once I’d done that the new accounts showed up fine in the FS list.
Hi,
is anybody able to use the timelimits and programm restrictions from family safety, while using this workaround?
Thx and greetz
Michael
I too ran into the problem that WLFS could not be used with Domain accounts.
Hopefully the info below will help others.
(This being a different problem to re-enabling the control panel icon for “Parental Controls” which can be done via gpedit.msc – google for that)
I have a Windows 2008 Domain and a number of Windows 7 Professional desktops with “Windows Live Family Safety 2011 (Build 15.4.3502.0922)”.
Each of the Desktop PC’s have only a local-admin user account, no others.
I’m not saying this is the only solution or that what else has been written before does not work, but in my case I found the important bit as being to logon to the desktop PC as the DOMAIN\child account. Without doing this WLFS did not list the DOMAIN\child account and so it could not be selected, even after adding the “child” to the LOCAL\Administrators group as suggested elsewhere in this blog.
In order to link the “DOMAIN\child” account to the “WLFS\child” account, I:
- logged on to the Desktop PC as the child “DOMAIN\child” account
- started WLFS and selected “Add or Manage family members on this computer”
- gave my DOMAIN\Administrator account to the UAC prompt
- gave my WLFS Parent account details
Then the list of accounts that could be selected included the “DOMAIN\child” account listed under the “Standard Users” section. I ticked this and associated it to the appropriate WLFS\child account.
This allows web filtering and tracking, but does not allow time limits/game etc, but program execution and logon hours can be dealt with by using domain controls so not a problem.
Thanks for the additional info, Raoul!
Worked perfectly for me running SBS 2011 Essentials (2008 R2) and 3 PC’s running 7 and Vista Pro, along with FSS 2011. Thanks for the post!
Worked Great! Thanks for the information.