Re: User rights in win 2003 d
From: blastingfonda (blastingfonda_at_gmail.com)
Date: 21 Mar 2005 14:28:16 -0800
Some Guy wrote:
> By doing what you ask, you are circumventing the point of the user
> account and the built security behind a windows domain. Thus, why
> are not allowed to install apps on clients.
Yeah, it's a tradeoff. When you give a user full rights to install
apps, you giving them nearly-full access to the registry and to the
Windows and Program Files directories. That alone undermines the
security of your box in a major way. Locking a user down yet giving
them rights to the registry are mutually exclusive actions. The Power
Users group is a compromise but even that group has a number of
limitations on what apps it can install and yet at the same time it
gives users way too many permissions as well.
Anyone with a desire to obtain full admin rights to their box could do
so pretty easily once given the rights to install and run any app.