Re: User Rights in Domain
From: Clayton (cbaker_at_teleflexareospace.com)
Date: 09/22/04
- Next message: Thiago Zanolo Mainente - Jornal Regional: "ISS isn`t installed"
- Previous message: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- In reply to: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Next in thread: smooredhs: "Re: User Rights in Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 22 Sep 2004 10:11:40 -0700
Yes you are right, sorry..I am running Win2000 AD....
>-----Original Message-----
>Clayton,
>
>I your domain user account objects need to be members of
the local Power
>Users to run the various CAD programs then it looks like
you have a dilemma.
>I would guess that they would need to be members of that
local Group. This,
>on the other hand, poses a problem for you in that you do
not want your
>users to be able to install software! As a member of the
local Power Users
>group they are able to install a lot of software.
>
>One thing that you might want to explore is sysmon and
regmon from
>http://www.sysinternals.com. These two small
applications will monitor
>where failures are taking place ( specific directories or
registry entries )
>so that you can give the user the required permissions
for that one folder
>or registry entry. I do not know how involved that would
be for you. It is
>usually a trial and error thing so you might need a bit
of time to tweak it
>so that it is just right. And you will want to document
this completely!
>There is nothing more painful than reinventing the wheel
again and again and
>again!
>
>As to making it impossible ( or, at least, more
difficult ) you might want
>to look at Software Restriction Policy. This will allow
you, the Sys Admin,
>to deny a whole bunch of executables ( but they can be
renamed by the
>users! ).
>
>Here are some links:
>
>http://support.microsoft.com/?id=324036
>http://support.microsoft.com/?id=310791
>
>http://www.microsoft.com/resources/documentation/WindowsSe
rv/2003/standard/proddocs/en-us/Default.asp?
url=/resources/documentation/windowsserv/2003/standard/prod
docs/en-us/SRP_create_policy.asp
>
>http://www.windowsecurity.com/articles/windows_2003_restri
ction_policies_security.html
>
>Please note that these articles focus on WIN2003 and WIN
XP Pro. You have
>not specified what NOS you are using. I have been
operating under the
>impression that it was WIN2000 on the Server side and
WIN2000/WIN XP Pro on
>the Client side. I should have asked earlier..
>
>Also know that you can use NTFS permissions to help abate
this problem.
>Lock down the C: and C:\Program Files so that 'Domain
Users' simply have
>read access. Please note that there would not be any
share permissions
>needed ( well, for starters, you are not sharing those
folders and,
>secondly, share permissions do not play any factor when
accessing the shared
>resource locally ).
>
>HTH,
>
>Cary
>
>
>"Clayton" <cbaker@teleflexaerospace.com> wrote in message
>news:3cd801c4a0b8$e37c0940$a501280a@phx.gbl...
>> Ok
>> Let me clarify...
>> Due to Sarbanes Oxley, I have been tasked to remove any
>> current Domain Admin from that group, however the 2
people
>> in concern need to be able to continue doing their jobs
as
>> they are with Domain Admins rights due to a project they
>> are currently working on.
>> The 2 of them are going to need to be able to nstall
>> programs on local PC's within the domain without much in
>> the lines of obstruction...
>> I would never want everyone to have the ability to
install
>> programs in this domain....only the 2. ( I want to
comment
>> on this later as well)
>> Now then, in most situations you have to be a Local
Admin
>> or as mentioned, a Power User to do these tasks on the
>> Domain PC's.
>> I will research the option that Cary has produced as
well
>> as the software smooredhs has mentioned.
>> Now then as mentioned above in reference to the fear of
>> all users installing programs...I have in the past
posted
>> this as a concern...meaning I wanted to find a way to
keep
>> Domain Users from installing any program on their local
>> PC's. Currently I have found users that can do so?...so
I
>> ask..what can I do (in group policy) to prevent this?
>> Now then, knowing this, also know that due to some CAD
>> programs in our Domain, the local users of this program
>> MUST be Power Users to run it. I have contacted these
>> vendors and have had no luck in finding a way around it,
>> so in saying that again, how can I prevent all users
from
>> installing any program they can find from the internet
or
>> otherwise? I did come across a GP that keeps them from
>> downloading but in the same breath we have contracts
with
>> companies that require use to go to their web sites and
>> download PDF's and such, which in that case keeps them
>> from doing their jobs.
>> I have several OU's that for the most part I can
segregate
>> and apply GP's separatly but in most cases people even
>> though in different OU's do the same type jobs and
access
>> the same web sites for downloads....errr!
>> Does this help?
>> Thanks a Bunch
>>
>>
>>
>>
>> >-----Original Message-----
>> >Okay,
>> >
>> >However, there was a patch to the 'normal' processing
of
>> the Restricted
>> >Groups GPO. You would have to call MS-PSS and make
sure
>> that you get both
>> >the WIN2000 and WINXP versions. Simply install this
>> patch to each system
>> >and then make user of Restricted Groups and whatever is
>> already there stays!
>> >You simply add the security group that you designate to
>> the local group of
>> >your focus. Too bad that you spent money on an
>> application that might not
>> >have been necessary. Does it do anything else that
>> justifies the cost (
>> >opps, there I go again assuming that you paid for this
>> software; there is
>> >such a thing as freeware and shareware! ).
>> >
>> >Here is the link to the update that modifies the
behavior
>> of the Restricted
>> >Groups:
>> >
>> >http://support.microsoft.com/?id=810076
>> >
>> >HTH,
>> >
>> >Cary
>> >
>> >"smooredhs" <smooredhs@newsgroup.nospam> wrote in
message
>> >news:%23NDFMmBoEHA.3900@TK2MSFTNGP10.phx.gbl...
>> >> We use a product called User Manager Pro to push out
>> mass changes
>> >> like this to PC's and servers. I've had to avoid the
>> Restricted Groups
>> >GPO
>> >> only because
>> >> I understand that it overlays completely whatever is
in
>> the PC's local
>> >> administrator group. Some staff have been given
>> administrator rights over
>> >> their PC's, so this would just wipe that out. I hope
>> in the future there
>> >is
>> >> a
>> >> way to apply this in only an additive way.
>> >>
>> >> Steve
>> >>
>> >> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in
>> message
>> >> news:ezdAIABoEHA.3712@TK2MSFTNGP15.phx.gbl...
>> >> > Clayton,
>> >> >
>> >> > I think that what he was suggesting was that you
use
>> the Restricted
>> >Groups
>> >> > GPO so that you do not have to go to each and every
>> computer! What you
>> >> can
>> >> > do is to make the Domain Users group - via this
GPO -
>> a member of the
>> >> local
>> >> > Power Users group ( by default, the Domain Users
>> group is a member of
>> >the
>> >> > local Users group on each system ) on each WIN2000
>> and/or WINXP Pro
>> >> system.
>> >> > All you would need to do is to follow the following
>> MSKB Article:
>> >> >
>> >> > http://support.microsoft.com/?id=320065
>> >> >
>> >> > All you would use the Power Users local group
instead
>> of the
>> >> Administrators
>> >> > local group. This will allow some software to be
>> installed ( as well as
>> >> > print drivers ). However, it is probably not going
>> to solve all of the
>> >> > issues.
>> >> >
>> >> > I am not sure that I understand what you mean by "a
>> standard Domain User
>> >> > install rights within the domain". I take it that
>> you want regular user
>> >> > account objects to be able to log on to any
>> workstation ( and -NOT- any
>> >> > Servers ) and install software. You might want to
>> rethink this if I am
>> >> > reading you correctly. This will allow the users
to
>> install a lot of
>> >> > garbage software on their systems ( like Hotbar and
>> Gator and
>> >Weatherbug,
>> >> > etc. ) that will cause a lot of problems.
>> >> >
>> >> > But, hey, you are the boss in your environment. I
>> just want you to have
>> >> as
>> >> > many facts as possible. Most experienced Sys
Admins
>> do not allow this
>> >in
>> >> > their environment. Too many variables that will
>> result in you spending
>> >a
>> >> > lot of time doing Help Desk tasks.
>> >> >
>> >> > HTH,
>> >> >
>> >> > Cary
>> >> >
>> >> > "Clayton" <cbaker@teleflexaerospace.com> wrote in
>> message
>> >> > news:010201c4a003$b81e5c40$a401280a@phx.gbl...
>> >> > > Well if you read the below it states that I do
not
>> want to
>> >> > > have to go to all PC's in order to allow local
>> access and
>> >> > > Power Users are local to PC's ...not Domains...
>> >> > >
>> >> > >
>> >> > > >-----Original Message-----
>> >> > > >I thought you could put them within the Power
>> Users group
>> >> > > of each PC to do
>> >> > > >this.
>> >> > > >
>> >> > > >"Clayton" <cbaker@teleflexaerospace.com> wrote
in
>> message
>> >> > > >news:49c801c49ff1$7c062a10$a401280a@phx.gbl...
>> >> > > >> Hello,
>> >> > > >> I am trying to find/figure out a way to allow
a
>> standard
>> >> > > >> Domain User, install rights within the Domain.
>> >> > > >> This user can not be a Domain Admin, or belong
>> to the
>> >> > > >> Administrators Group in the Domain but needs
to
>> be able
>> >> > > to
>> >> > > >> install programs to PC's within the Domain
>> without
>> >> > > being a
>> >> > > >> Local Admin to every PC in my Domain.
>> >> > > >> Please take a stab at this...due to Sarbanes
>> Oxley
>> >> > > >> compliance within our Organization we have to
>> eliminate
>> >> > > >> all people that have Administrative rights
>> within the
>> >> > > >> Domain that are accounts that are not needed
as
>> such.
>> >> > > >
>> >> > > >
>> >> > > >.
>> >> > > >
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>
- Next message: Thiago Zanolo Mainente - Jornal Regional: "ISS isn`t installed"
- Previous message: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- In reply to: Cary Shultz [A.D. MVP]: "Re: User Rights in Domain"
- Next in thread: smooredhs: "Re: User Rights in Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
