Re: Windows Server 2003 Auto connect printers;

That explains it. Users who are Administrators are able to see
all printers. "Normal" Users should not be a member of
administrators. This is very bad for security and stability of
the TS. Administrators can do all sorts of bad things to the
TS (intentionally & not), regardless of any group policies or
other measures you take to restrict them.

In order to fix things you need to remove authenticated users
from the Administrators group. Then you are left to get your
software applications functioning properly with limited
permissions.

You do this by granting only those permissions that are
absolutely necessary for each application to run. For example,
an application typically needs read access to its program
directory and registry keys at a minimum. Some applications
may need to read/write to their program directory as well as
subkeys of their main registry key. Other applications may
need you to use per-user class hives, etc.

Logon to the server as an administrator and run filemon and
regmon from www.sysinternals.com. Then logon as a limited
user and run the problem app to see what areas of the file
system or registry it is being denied access to.

Some applications can be a pain to get working properly
with limited permissions, but almost all will work. Others it
is a combination of permissions and setting the application's
data/save locations to different than default.

If you have a specific app that you can't figure out, post
here and someone will help you.

Thanks.

-TP

paul wrote:
> The Domain Users group is a member of the build in Users, that's it.
> Yes the TS is a member server, Authenticated Users is added to the
> local Admin group to give users local admin rights. We did this to
> solve some software issues. Would this be related to our printer
> issue and how? Where could I check again where we set the Permission
> Compatibility to?? Thanks for helping out, greatly appreciated.
>
> Paul
>


.

Relevant Pages

  • Re: Windows Server 2003 Auto connect printers;
    ... Users who are Administrators are able to see ... > software applications functioning properly with limited ... > You do this by granting only those permissions that are ... > directory and registry keys at a minimum. ...
    (microsoft.public.win2000.termserv.apps)
  • RE: Permissions
    ... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ...
    (microsoft.public.win2000.security)
  • Re: OU Administrator setup/Admin Shares
    ... In my testing I also discovered the test user account that is a member of the ... restricted users group does not have the permissions to access the network ... this group name should be - administrators) and key in the group ...
    (microsoft.public.windows.server.active_directory)
  • Re: Administrator, Administrators & Domain Admins
    ... or are part of the domain admins ... administrator -> user account member of administrators, ... domain admins -> global group member of adminstrators group for DCs ... It is better to delegate permissions to custom made ...
    (microsoft.public.win2000.active_directory)
  • Re: OU Administrator setup/Admin Shares
    ... In my testing I also discovered the test user account that is a member of the ... restricted users group does not have the permissions to access the network ... Create the gpo in the ou where the Computers reside, ... this group name should be - administrators) and key in the group ...
    (microsoft.public.windows.server.active_directory)