Re: Windows 2000 User Settings

Bill wrote:

What is the privilege/policy/permission/whatever that grants someone the ability to
install programs?

As far as I know in Windows 2000 there is no guaranteed way to prevent users from installing programs. You can set Group Policy restrictions on the Windows Installer Service:
(Computer Configuration\Administrative Templates\Windows Components\Windows Installer)

The default security permissions for Administrators/Power Users/Users are defined through a combination of NTFS Permissions as well as predefined security templates and the secedit.sdb file. To access and analyze these items run mmc in the Start Menu> Run Dialogue Box. Click on the Console Menu (at the very top) and select Add/Remove Snap-in... Click on the "Add..." button and select the desired Snap-in. You'll want the Group Policy Snap-in. The Security Configuration and Analysis Snap-in can also be useful to identify policies in place on the computer.

What, exactly, does "act as part of the operating system" mean?

It means exactly what it says, the user will not be restricted by security permissions and will be allowed to interact directly with the Windows Executive files, it's almost the same as the System Account. Granting this permission can be extremely dangerous as it can potentially allow rogue processes and malware to bypass all security settings and gain direct access to the Windows kernel and be seen a trusted component of the operating system.

John


.