Re: Protecting the 'All Users' Start Menu
- From: "Cary Shultz" <cwshultz@xxxxxxxx>
- Date: Sat, 15 Oct 2005 06:24:09 -0400
Yeah, that is very true. If userA has already logged on then he/she
already has a profile on that machine ( created from the default user,
usually ) and my suggestion will not do you much good! But, that is why I
stated that it might not help. It is really good if you use it right from
the start, though!
I would focus on the permissions thing. Well, the true 'problem' is why the
domain user account objects are members of the local Power Users group. As
I am sure that you know, the Domain Users is, by default, a member of the
local Users group on each PC. And, by default, each user account object
that is created is a member of the Domain Users group. However, that is
usually not sufficient ( before any jumps down my throat for this....have
patience, I will explain what I mean ). The Power Users group does afford
more 'access'. Some applications require access to parts of the registry or
directory structure that the Users group doe not afford ( but the Power
Users does ). And there are a lot of older applications that often require
that the user be a member of the local Administrators group. So, possibly
this plays a role in that? If that is the case then what I might consider
is looking at regmon and filemon from Sysinternals (
http://www.sysinternals.com ) and use both of them to determine what access
is need to what key ( or folder ) and go from there! So, if the software
installation 'problem' is the reason why then maybe you have something here!
Another thing does jump to mind in reference to the Power Users group: you
typically have to be a member of this local group to add printers. Could
that be the reason? a part of the reason?
--
Cary W. Shultz
Roanoke, VA 24012
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)
"?????????" <me@home> wrote in message
news:O8ydnbjrjpV7nNPenZ2dnUVZ8qSdnZ2d@xxxxxxxxxxxx
> Cary Shultz wrote:
>> This might not help....but this is what I normally do.
>>
>> I like to create the 'stuff' that I want to be available to everyone in
>> the default users profile. This way, if someone deletes something it
>> does not affect everyone else. However, this is simply part of your
>> situation and does not really answer the question. The permissions would
>> be where I would start. Also, as aptly stated, if your domain user
>> account objects are member of the local Administrators group on the
>> computers then there is really nothing that you can do.....other than
>> threaten them with bodily harm....and if you do not want to do that I can
>> be your muscle! ;-)
>>
>> Think about the default user thing.....it might be of interest. But the
>> permissions thing is the true answer.
>>
>
> The only problem with the Deafult User thing at this point is that most
> people who log onto the machines have already done so and we don't want to
> delete profiles on a few thousand boxes. I'm not sure why our users are
> Power Users but will get the answer to that today.
>
> thanks for the reply
.
- References:
- Protecting the 'All Users' Start Menu
- From: อะไรก็ตาม
- Re: Protecting the 'All Users' Start Menu
- From: Randy Reimers
- Re: Protecting the 'All Users' Start Menu
- From: Cary Shultz
- Re: Protecting the 'All Users' Start Menu
- From: อะไรก็ตาม
- Protecting the 'All Users' Start Menu
- Prev by Date: Re: Question for Ace - Why to not Multi-home a DC
- Next by Date: Re: GPO HELP NEEDED
- Previous by thread: Re: Protecting the 'All Users' Start Menu
- Next by thread: Setting up the root domain
- Index(es):
Relevant Pages
|
