Re: Users installing software
From: Curt Winter (CurtWinter_at_discussions.microsoft.com)
Date: 06/30/04
- Next message: ptwilliams: "Re: Enquiry on a special scenario."
- Previous message: Laura E. Hunter \(MVP\): "Re: Global Group"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Users installing software"
- Reply: Lanwench [MVP - Exchange]: "Re: Users installing software"
- Reply: georgewood: "Re: Users installing software"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 30 Jun 2004 10:14:01 -0700
Sean,
if you do not like the local admin solution, how would you recommend allowing a user to install software on there local machine?
when I go in as the Administrator and install some software for the user, then the user logs in and A) the software is not there, only installed for the current user when installed. B) software still does not run correctly.
Hence my need to allow a user to install software on there local machine.
Is there a policy setting in the AD someplace to allow users to install software locally on there workstation?
Thank you for the information.
Curt
"Fao, Sean" wrote:
> Keith Jakobs, MCP wrote:
> > Hi Allan,
> >
> > We add each user exclusively and specifically to the Local Administrators
> > group of each machine. But this way not all users have full control over
> > everyone else's workstation. We use Group policies to lock down network
> > access, but at the PC level, if they break it, they get a new one with
> > standard software imaged on to it.
> >
> > If they loose data because it was stored locally and not on the network then
> > too bad... they were told where to keep it and that is policy. Then we dont
> > have to worry about the local stations. If we cant fix it quick, we give em
> > a new box, and wipe out the old one.
> >
> > If you want to give users that kind of control, that is the best we have
> > come up with.
> >
>
> This type of configuration is poor at best and I highly recommend
> against it for nearly all configurations. Windows 2000 and XP were
> designed to give the administrator more control over what previous
> versions of Windows had provided (Windows NT provided enhanced security
> over the 3.1/9x versions of Windows but 2000 really made things nice).
> When configured in this way, the enhanced security is irrelevant because
> anybody can do as he/she wishes. Sure, users only have administrative
> rights on his/her machine; but, down time is wasted money; no matter how
> you look at it. Also, depending on what type of system breach has
> occurred it is possible that a remote user that is not part of your
> business will be able to gain enough information on the network topology
> to gain Domain Admin privileges and bring down the *entire* network.
> Local Admin is merely a band-aide for a lazy administrator in nearly all
> circumstances.
>
> Also, in regard to saving items locally, IMNSHO, a network administrator
> should be relieved of their duties if they recommend saving *anything*
> work related to the work stations. There is no way for an administrator
> to know what is on each of the work stations and it would be extremely
> expensive to equip each of them with the proper agents to allow for
> remote backups. I have run across many situations where months of work
> has been lost because proper guidelines were either not in place or end
> users refused to listen. I have also run across situations where an
> employee has deleted all of their files just prior to leaving a company.
> Had the administrator not had a backup, years of research would have
> been lost. Situations like this are _not_ uncommon and administrators
> should be doing their best to alleviate as much as possible; not
> encourage it by being lazy.
>
> Sean
>
- Next message: ptwilliams: "Re: Enquiry on a special scenario."
- Previous message: Laura E. Hunter \(MVP\): "Re: Global Group"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Users installing software"
- Reply: Lanwench [MVP - Exchange]: "Re: Users installing software"
- Reply: georgewood: "Re: Users installing software"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
