Re: User Rights in Domain
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 09/22/04
- Next message: Cary Shultz [A.D. MVP]: "Re: group-provisioning utility"
- Previous message: JHK: "RE: Group Policy"
- In reply to: Clayton: "Re: User Rights in Domain"
- Next in thread: Clayton: "Re: User Rights in Domain"
- Reply: Clayton: "Re: User Rights in Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Sep 2004 12:24:10 -0400
Clayton,
I your domain user account objects need to be members of the local Power
Users to run the various CAD programs then it looks like you have a dilemma.
I would guess that they would need to be members of that local Group. This,
on the other hand, poses a problem for you in that you do not want your
users to be able to install software! As a member of the local Power Users
group they are able to install a lot of software.
One thing that you might want to explore is sysmon and regmon from
http://www.sysinternals.com. These two small applications will monitor
where failures are taking place ( specific directories or registry entries )
so that you can give the user the required permissions for that one folder
or registry entry. I do not know how involved that would be for you. It is
usually a trial and error thing so you might need a bit of time to tweak it
so that it is just right. And you will want to document this completely!
There is nothing more painful than reinventing the wheel again and again and
again!
As to making it impossible ( or, at least, more difficult ) you might want
to look at Software Restriction Policy. This will allow you, the Sys Admin,
to deny a whole bunch of executables ( but they can be renamed by the
users! ).
Here are some links:
http://support.microsoft.com/?id=324036
http://support.microsoft.com/?id=310791
http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html
Please note that these articles focus on WIN2003 and WIN XP Pro. You have
not specified what NOS you are using. I have been operating under the
impression that it was WIN2000 on the Server side and WIN2000/WIN XP Pro on
the Client side. I should have asked earlier..
Also know that you can use NTFS permissions to help abate this problem.
Lock down the C: and C:\Program Files so that 'Domain Users' simply have
read access. Please note that there would not be any share permissions
needed ( well, for starters, you are not sharing those folders and,
secondly, share permissions do not play any factor when accessing the shared
resource locally ).
HTH,
Cary
"Clayton" <cbaker@teleflexaerospace.com> wrote in message
news:3cd801c4a0b8$e37c0940$a501280a@phx.gbl...
> Ok
> Let me clarify...
> Due to Sarbanes Oxley, I have been tasked to remove any
> current Domain Admin from that group, however the 2 people
> in concern need to be able to continue doing their jobs as
> they are with Domain Admins rights due to a project they
> are currently working on.
> The 2 of them are going to need to be able to nstall
> programs on local PC's within the domain without much in
> the lines of obstruction...
> I would never want everyone to have the ability to install
> programs in this domain....only the 2. ( I want to comment
> on this later as well)
> Now then, in most situations you have to be a Local Admin
> or as mentioned, a Power User to do these tasks on the
> Domain PC's.
> I will research the option that Cary has produced as well
> as the software smooredhs has mentioned.
> Now then as mentioned above in reference to the fear of
> all users installing programs...I have in the past posted
> this as a concern...meaning I wanted to find a way to keep
> Domain Users from installing any program on their local
> PC's. Currently I have found users that can do so?...so I
> ask..what can I do (in group policy) to prevent this?
> Now then, knowing this, also know that due to some CAD
> programs in our Domain, the local users of this program
> MUST be Power Users to run it. I have contacted these
> vendors and have had no luck in finding a way around it,
> so in saying that again, how can I prevent all users from
> installing any program they can find from the internet or
> otherwise? I did come across a GP that keeps them from
> downloading but in the same breath we have contracts with
> companies that require use to go to their web sites and
> download PDF's and such, which in that case keeps them
> from doing their jobs.
> I have several OU's that for the most part I can segregate
> and apply GP's separatly but in most cases people even
> though in different OU's do the same type jobs and access
> the same web sites for downloads....errr!
> Does this help?
> Thanks a Bunch
>
>
>
>
> >-----Original Message-----
> >Okay,
> >
> >However, there was a patch to the 'normal' processing of
> the Restricted
> >Groups GPO. You would have to call MS-PSS and make sure
> that you get both
> >the WIN2000 and WINXP versions. Simply install this
> patch to each system
> >and then make user of Restricted Groups and whatever is
> already there stays!
> >You simply add the security group that you designate to
> the local group of
> >your focus. Too bad that you spent money on an
> application that might not
> >have been necessary. Does it do anything else that
> justifies the cost (
> >opps, there I go again assuming that you paid for this
> software; there is
> >such a thing as freeware and shareware! ).
> >
> >Here is the link to the update that modifies the behavior
> of the Restricted
> >Groups:
> >
> >http://support.microsoft.com/?id=810076
> >
> >HTH,
> >
> >Cary
> >
> >"smooredhs" <smooredhs@newsgroup.nospam> wrote in message
> >news:%23NDFMmBoEHA.3900@TK2MSFTNGP10.phx.gbl...
> >> We use a product called User Manager Pro to push out
> mass changes
> >> like this to PC's and servers. I've had to avoid the
> Restricted Groups
> >GPO
> >> only because
> >> I understand that it overlays completely whatever is in
> the PC's local
> >> administrator group. Some staff have been given
> administrator rights over
> >> their PC's, so this would just wipe that out. I hope
> in the future there
> >is
> >> a
> >> way to apply this in only an additive way.
> >>
> >> Steve
> >>
> >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in
> message
> >> news:ezdAIABoEHA.3712@TK2MSFTNGP15.phx.gbl...
> >> > Clayton,
> >> >
> >> > I think that what he was suggesting was that you use
> the Restricted
> >Groups
> >> > GPO so that you do not have to go to each and every
> computer! What you
> >> can
> >> > do is to make the Domain Users group - via this GPO -
> a member of the
> >> local
> >> > Power Users group ( by default, the Domain Users
> group is a member of
> >the
> >> > local Users group on each system ) on each WIN2000
> and/or WINXP Pro
> >> system.
> >> > All you would need to do is to follow the following
> MSKB Article:
> >> >
> >> > http://support.microsoft.com/?id=320065
> >> >
> >> > All you would use the Power Users local group instead
> of the
> >> Administrators
> >> > local group. This will allow some software to be
> installed ( as well as
> >> > print drivers ). However, it is probably not going
> to solve all of the
> >> > issues.
> >> >
> >> > I am not sure that I understand what you mean by "a
> standard Domain User
> >> > install rights within the domain". I take it that
> you want regular user
> >> > account objects to be able to log on to any
> workstation ( and -NOT- any
> >> > Servers ) and install software. You might want to
> rethink this if I am
> >> > reading you correctly. This will allow the users to
> install a lot of
> >> > garbage software on their systems ( like Hotbar and
> Gator and
> >Weatherbug,
> >> > etc. ) that will cause a lot of problems.
> >> >
> >> > But, hey, you are the boss in your environment. I
> just want you to have
> >> as
> >> > many facts as possible. Most experienced Sys Admins
> do not allow this
> >in
> >> > their environment. Too many variables that will
> result in you spending
> >a
> >> > lot of time doing Help Desk tasks.
> >> >
> >> > HTH,
> >> >
> >> > Cary
> >> >
> >> > "Clayton" <cbaker@teleflexaerospace.com> wrote in
> message
> >> > news:010201c4a003$b81e5c40$a401280a@phx.gbl...
> >> > > Well if you read the below it states that I do not
> want to
> >> > > have to go to all PC's in order to allow local
> access and
> >> > > Power Users are local to PC's ...not Domains...
> >> > >
> >> > >
> >> > > >-----Original Message-----
> >> > > >I thought you could put them within the Power
> Users group
> >> > > of each PC to do
> >> > > >this.
> >> > > >
> >> > > >"Clayton" <cbaker@teleflexaerospace.com> wrote in
> message
> >> > > >news:49c801c49ff1$7c062a10$a401280a@phx.gbl...
> >> > > >> Hello,
> >> > > >> I am trying to find/figure out a way to allow a
> standard
> >> > > >> Domain User, install rights within the Domain.
> >> > > >> This user can not be a Domain Admin, or belong
> to the
> >> > > >> Administrators Group in the Domain but needs to
> be able
> >> > > to
> >> > > >> install programs to PC's within the Domain
> without
> >> > > being a
> >> > > >> Local Admin to every PC in my Domain.
> >> > > >> Please take a stab at this...due to Sarbanes
> Oxley
> >> > > >> compliance within our Organization we have to
> eliminate
> >> > > >> all people that have Administrative rights
> within the
> >> > > >> Domain that are accounts that are not needed as
> such.
> >> > > >
> >> > > >
> >> > > >.
> >> > > >
> >> >
> >> >
> >>
> >>
> >
> >
> >.
> >
- Next message: Cary Shultz [A.D. MVP]: "Re: group-provisioning utility"
- Previous message: JHK: "RE: Group Policy"
- In reply to: Clayton: "Re: User Rights in Domain"
- Next in thread: Clayton: "Re: User Rights in Domain"
- Reply: Clayton: "Re: User Rights in Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
