Re: Users installing software

From: georgewood (georgewood_at_verizon.net)
Date: 07/07/04

• Next message: Aarohi Johal: "Re: Second Domain Controller"
• Previous message: georgewood: "Re: Roaming Profiles question"
• In reply to: Curt Winter: "Re: Users installing software"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 07 Jul 2004 04:00:19 GMT

Add them to security group
"Curt Winter" <CurtWinter@discussions.microsoft.com> wrote in message
news:E03CF4D7-BDA7-4554-84F5-907E50E98764@microsoft.com...
> Sean,
>
> if you do not like the local admin solution, how would you recommend
allowing a user to install software on there local machine?
>
> when I go in as the Administrator and install some software for the user,
then the user logs in and A) the software is not there, only installed for
the current user when installed. B) software still does not run correctly.
>
> Hence my need to allow a user to install software on there local machine.
>
> Is there a policy setting in the AD someplace to allow users to install
software locally on there workstation?
>
> Thank you for the information.
>
> Curt
> "Fao, Sean" wrote:
>
> > Keith Jakobs, MCP wrote:
> > > Hi Allan,
> > >
> > > We add each user exclusively and specifically to the Local
Administrators
> > > group of each machine. But this way not all users have full control
over
> > > everyone else's workstation. We use Group policies to lock down
network
> > > access, but at the PC level, if they break it, they get a new one with
> > > standard software imaged on to it.
> > >
> > > If they loose data because it was stored locally and not on the
network then
> > > too bad... they were told where to keep it and that is policy. Then
we dont
> > > have to worry about the local stations. If we cant fix it quick, we
give em
> > > a new box, and wipe out the old one.
> > >
> > > If you want to give users that kind of control, that is the best we
have
> > > come up with.
> > >
> >
> > This type of configuration is poor at best and I highly recommend
> > against it for nearly all configurations. Windows 2000 and XP were
> > designed to give the administrator more control over what previous
> > versions of Windows had provided (Windows NT provided enhanced security
> > over the 3.1/9x versions of Windows but 2000 really made things nice).
> > When configured in this way, the enhanced security is irrelevant because
> > anybody can do as he/she wishes. Sure, users only have administrative
> > rights on his/her machine; but, down time is wasted money; no matter how
> > you look at it. Also, depending on what type of system breach has
> > occurred it is possible that a remote user that is not part of your
> > business will be able to gain enough information on the network topology
> > to gain Domain Admin privileges and bring down the *entire* network.
> > Local Admin is merely a band-aide for a lazy administrator in nearly all
> > circumstances.
> >
> > Also, in regard to saving items locally, IMNSHO, a network administrator
> > should be relieved of their duties if they recommend saving *anything*
> > work related to the work stations. There is no way for an administrator
> > to know what is on each of the work stations and it would be extremely
> > expensive to equip each of them with the proper agents to allow for
> > remote backups. I have run across many situations where months of work
> > has been lost because proper guidelines were either not in place or end
> > users refused to listen. I have also run across situations where an
> > employee has deleted all of their files just prior to leaving a company.
> > Had the administrator not had a backup, years of research would have
> > been lost. Situations like this are _not_ uncommon and administrators
> > should be doing their best to alleviate as much as possible; not
> > encourage it by being lazy.
> >
> > Sean
> >

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 7/6/2004

---

• Next message: Aarohi Johal: "Re: Second Domain Controller"
• Previous message: georgewood: "Re: Roaming Profiles question"
• In reply to: Curt Winter: "Re: Users installing software"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Draft I: Why You Dont Want to Install Software ... that evil IT guy-- the party pooper who runs his network with an iron fist. ... > been made members of the 'local administrator' group. ... >> idea of contacting your network consultant to install software probably ... >> could install software. ... (microsoft.public.windows.server.sbs) Re: Insufficient Administrator Permissions ... Add the administrator to directive: AddWorkstation to Domaine.. ... Network Configuration Operators... ... > I am desperate for some help, I have just done an install ... (microsoft.public.windowsxp.security_admin) Re: Admin Account or not ... The decision was made that a Network ... Administrator would have the authority to decide if and when an update installed ... However, there is a glaring exception to this, and that is if you install a SUS ... > power group can not install Windows Updates. ... (microsoft.public.windowsupdate) Re: Installation problem ... There is an Administrator account, ... You should disconnect the machine from network access, ... Then, install your antivirus program, turn on the firewall, ... Windows Update to get the newly installed Windows XP ... (microsoft.public.windowsxp.security_admin) Re: Users installing software ... We use Group policies to lock down network ... Windows 2000 and XP were ... Local Admin is merely a band-aide for a lazy administrator in nearly all ... to know what is on each of the work stations and it would be extremely ... (microsoft.public.win2000.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)