Re: User Rights in Domain
From: Clayton (cbaker_at_teleflexaerospace.com)
Date: 09/22/04
- Next message: B. Hilliard: "ADMT - can't migrate sidhistory"
- Previous message: Shawn: "group-provisioning utility"
- In reply to: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Reply: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Sep 2004 08:29:02 -0700
Ok
Let me clarify...
Due to Sarbanes Oxley, I have been tasked to remove any
current Domain Admin from that group, however the 2 people
in concern need to be able to continue doing their jobs as
they are with Domain Admins rights due to a project they
are currently working on.
The 2 of them are going to need to be able to nstall
programs on local PC's within the domain without much in
the lines of obstruction...
I would never want everyone to have the ability to install
programs in this domain....only the 2. ( I want to comment
on this later as well)
Now then, in most situations you have to be a Local Admin
or as mentioned, a Power User to do these tasks on the
Domain PC's.
I will research the option that Cary has produced as well
as the software smooredhs has mentioned.
Now then as mentioned above in reference to the fear of
all users installing programs...I have in the past posted
this as a concern...meaning I wanted to find a way to keep
Domain Users from installing any program on their local
PC's. Currently I have found users that can do so?...so I
ask..what can I do (in group policy) to prevent this?
Now then, knowing this, also know that due to some CAD
programs in our Domain, the local users of this program
MUST be Power Users to run it. I have contacted these
vendors and have had no luck in finding a way around it,
so in saying that again, how can I prevent all users from
installing any program they can find from the internet or
otherwise? I did come across a GP that keeps them from
downloading but in the same breath we have contracts with
companies that require use to go to their web sites and
download PDF's and such, which in that case keeps them
from doing their jobs.
I have several OU's that for the most part I can segregate
and apply GP's separatly but in most cases people even
though in different OU's do the same type jobs and access
the same web sites for downloads....errr!
Does this help?
Thanks a Bunch
>-----Original Message-----
>Okay,
>
>However, there was a patch to the 'normal' processing of
the Restricted
>Groups GPO. You would have to call MS-PSS and make sure
that you get both
>the WIN2000 and WINXP versions. Simply install this
patch to each system
>and then make user of Restricted Groups and whatever is
already there stays!
>You simply add the security group that you designate to
the local group of
>your focus. Too bad that you spent money on an
application that might not
>have been necessary. Does it do anything else that
justifies the cost (
>opps, there I go again assuming that you paid for this
software; there is
>such a thing as freeware and shareware! ).
>
>Here is the link to the update that modifies the behavior
of the Restricted
>Groups:
>
>http://support.microsoft.com/?id=810076
>
>HTH,
>
>Cary
>
>"smooredhs" <smooredhs@newsgroup.nospam> wrote in message
>news:%23NDFMmBoEHA.3900@TK2MSFTNGP10.phx.gbl...
>> We use a product called User Manager Pro to push out
mass changes
>> like this to PC's and servers. I've had to avoid the
Restricted Groups
>GPO
>> only because
>> I understand that it overlays completely whatever is in
the PC's local
>> administrator group. Some staff have been given
administrator rights over
>> their PC's, so this would just wipe that out. I hope
in the future there
>is
>> a
>> way to apply this in only an additive way.
>>
>> Steve
>>
>> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in
message
>> news:ezdAIABoEHA.3712@TK2MSFTNGP15.phx.gbl...
>> > Clayton,
>> >
>> > I think that what he was suggesting was that you use
the Restricted
>Groups
>> > GPO so that you do not have to go to each and every
computer! What you
>> can
>> > do is to make the Domain Users group - via this GPO -
a member of the
>> local
>> > Power Users group ( by default, the Domain Users
group is a member of
>the
>> > local Users group on each system ) on each WIN2000
and/or WINXP Pro
>> system.
>> > All you would need to do is to follow the following
MSKB Article:
>> >
>> > http://support.microsoft.com/?id=320065
>> >
>> > All you would use the Power Users local group instead
of the
>> Administrators
>> > local group. This will allow some software to be
installed ( as well as
>> > print drivers ). However, it is probably not going
to solve all of the
>> > issues.
>> >
>> > I am not sure that I understand what you mean by "a
standard Domain User
>> > install rights within the domain". I take it that
you want regular user
>> > account objects to be able to log on to any
workstation ( and -NOT- any
>> > Servers ) and install software. You might want to
rethink this if I am
>> > reading you correctly. This will allow the users to
install a lot of
>> > garbage software on their systems ( like Hotbar and
Gator and
>Weatherbug,
>> > etc. ) that will cause a lot of problems.
>> >
>> > But, hey, you are the boss in your environment. I
just want you to have
>> as
>> > many facts as possible. Most experienced Sys Admins
do not allow this
>in
>> > their environment. Too many variables that will
result in you spending
>a
>> > lot of time doing Help Desk tasks.
>> >
>> > HTH,
>> >
>> > Cary
>> >
>> > "Clayton" <cbaker@teleflexaerospace.com> wrote in
message
>> > news:010201c4a003$b81e5c40$a401280a@phx.gbl...
>> > > Well if you read the below it states that I do not
want to
>> > > have to go to all PC's in order to allow local
access and
>> > > Power Users are local to PC's ...not Domains...
>> > >
>> > >
>> > > >-----Original Message-----
>> > > >I thought you could put them within the Power
Users group
>> > > of each PC to do
>> > > >this.
>> > > >
>> > > >"Clayton" <cbaker@teleflexaerospace.com> wrote in
message
>> > > >news:49c801c49ff1$7c062a10$a401280a@phx.gbl...
>> > > >> Hello,
>> > > >> I am trying to find/figure out a way to allow a
standard
>> > > >> Domain User, install rights within the Domain.
>> > > >> This user can not be a Domain Admin, or belong
to the
>> > > >> Administrators Group in the Domain but needs to
be able
>> > > to
>> > > >> install programs to PC's within the Domain
without
>> > > being a
>> > > >> Local Admin to every PC in my Domain.
>> > > >> Please take a stab at this...due to Sarbanes
Oxley
>> > > >> compliance within our Organization we have to
eliminate
>> > > >> all people that have Administrative rights
within the
>> > > >> Domain that are accounts that are not needed as
such.
>> > > >
>> > > >
>> > > >.
>> > > >
>> >
>> >
>>
>>
>
>
>.
>
- Next message: B. Hilliard: "ADMT - can't migrate sidhistory"
- Previous message: Shawn: "group-provisioning utility"
- In reply to: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Next in thread: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Reply: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
