Re: restrict power user

From: Ryan Hanisco (rhanisco_at_flagshipis.com)
Date: 12/22/04 

Date: Wed, 22 Dec 2004 17:53:50 -0600

Ok... reading that further answers the question... you can't:

      [Power Users can]Create local users and groups.

      . Modify users and groups that they have created.

      . Create and delete non-admin file shares.

      . Create, manage, delete and share local printers.

All other additional rights, such as Change System Time, or Stop and Start
non-autostarted services, can be reconfigured for the Power User by
modifying the appropriate user rights or configuring the appropriate ACL.

Since there is no way to disable the built-in permissions allotted to Power
Users, administrators who need to support non-certified legacy applications
must loosen up the permissions allotted to members of the Users group to the
point where their installed base of applications can be successfully run.
The Windows 2000 operating system includes a security template for precisely
this purpose. The template is named compatws.inf and can be found in the
%windir%\security\templates directory. The template can be applied to a
system using the Security Configuration Toolset. For example, the
secedit.exe command line component of the Toolset can apply the template as
follows: 

-- 
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services
"Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
news:ueZLbAI6EHA.2876@TK2MSFTNGP12.phx.gbl...
> Arc,
>
> I was looking through the KB articles trying to come up with an answer -- 
I
> was first thinking this could be done with one of the Local Security
Policy
> settings but I am not finding it.   I did find a good article on exactly
> what a Power User has rights to
>
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur
> ity/secdefs.mspx#ECAA)
>
> but nothing that specifically addresses your problem.  Sorry.  Anyone
else?
>
> -- 
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "Arc J. Thames" <revarcjt@hotmail.com> wrote in message
> news:O0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
> > Does anyone know what group policy setting or a registry change that I
> could
> > make to prevent a power user from creating user accounts?
> >
> > Arc J. Thames
> > MCSE/MCSA 2k/2k3 MCT
> >
> >
>
>

Relevant Pages

  • Re: Working without a Word work file - Word 2003 / Outlook 2003
    ... Just a quick update on 'power user' rights - provided my user with these ... full access to the users temp folders to no avail. ... "Temporary Internet Files" variable is, ...
    (microsoft.public.word.application.errors)
  • Re: QuickBooks 2002
    ... OK Susan, I'll look forward to your blog. ... Give rights like power user and local admin ... I need it to run in user mode Susan. ...
    (microsoft.public.windows.server.sbs)
  • Re: Assigning domain users rights to change ip address
    ... hi I have tried to do so but power user also dose not have rights to change ... > hesitate to configure a user as a local admin but not as a power user. ... > Placing domain users into the local Power Users group would likely do what ... >>> could gain a right to change ip setting through network connection. ...
    (microsoft.public.windows.server.active_directory)
  • Re: User Rights Assignment
    ... and unload drivers rights to him. ... drivers are installed and that the physical port he has connected to ... Again, Power User is *almost* Administrator, in XP. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Problem with security rights
    ... I was wondering if it was possible to copy a folder without losing ... Some person have rights on any file within ... every copie of the folder Template. ... destination Specifies the location and/or name of new files. ...
    (microsoft.public.security)