Re: Add the loged in user to the local admin group during logon pr

Pluto wrote:
The problem I have is that Doamin Users ARE part of the local admin, which is BIG whole. This was something my predecessor implemented because one of the applications running on the users desktop requires local admin. The whole point is to restrict that by adding only owners of that workstation to the local admin group. Btw, users only logginto their own workstaion so there is no risk to haev soembody logging to someone else workstation.

If it's just one workstation and very limited number of known users then why not just add them manually to that workstations local administrators group.

If the same application is on several workstations, and/or the people requiring access change more than a few times a year, or if there are a large number of users - then better still is to create another Domain group with a suitable name, add the appropriate users to that group then add the group the local admins group. This way you only need to change the membership of the group when a new account is created or when someone else needs access.

I'd probably give the group a name that matches the application (i.e: ABCD App Users) and perhaps change the access permissions for the applications folder/files (on the workstation) so that only members of that group are even allowed access to the application (and even the start menu items for the application if you want to go that far).

I work for a large organisation that uses this technique to restrict access to almost every available locally installed application (as well as served applications), as that then provides some control over how many users have access and hence how many licences are required for each application.

--
VS
.

Relevant Pages

  • Re: Must all users be administrators?
    ... Correct me if I am wrong, but GROUP POLICIES override this (local admin can ... I have one workstation that has a user as Administrator and I ... install/add/remove anything, they can't save to desktop, can't change screen ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Premium, user changes password and loses network share access
    ... If no local admin account, log on as a domain admin. ... profile that has local admin permissions on the workstation. ... Merv Porter [SBS-MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: Administrator rights for legacy appliations
    ... innocent users running workstation applications and browsing the ... Internet and your filesystem. ... applications at all, even if you try to lock them down as best as ... compatible and can cause various problems on your server. ...
    (microsoft.public.windows.terminal_services)
  • Access 2000 on Win XP Workstation - Printing Problems
    ... I have a number of Access 2000 applications installed on XP Professional ... users (not power users) and as such I have had to apply permissions ... on the second workstation and reran the application and all is well. ... I have also looked to see if a folder or file was created ...
    (microsoft.public.access.devtoolkits)
  • Re: Slow startup and using MSCONFIG
    ... Workstation is a core service for XP. ... notebook it was. ... they load up notebooks with all kinds ... of applications & startup/watchdog stuff that most users won't make use of. ...
    (microsoft.public.windowsxp.general)