Re: Windows Server 2003 Auto connect printers;

Thanks so much TP for your help. I'll try this as soon as I can when no users
are on the TS. I'll let you know.
Thanks

Paul


"TP" wrote:

> That explains it. Users who are Administrators are able to see
> all printers. "Normal" Users should not be a member of
> administrators. This is very bad for security and stability of
> the TS. Administrators can do all sorts of bad things to the
> TS (intentionally & not), regardless of any group policies or
> other measures you take to restrict them.
>
> In order to fix things you need to remove authenticated users
> from the Administrators group. Then you are left to get your
> software applications functioning properly with limited
> permissions.
>
> You do this by granting only those permissions that are
> absolutely necessary for each application to run. For example,
> an application typically needs read access to its program
> directory and registry keys at a minimum. Some applications
> may need to read/write to their program directory as well as
> subkeys of their main registry key. Other applications may
> need you to use per-user class hives, etc.
>
> Logon to the server as an administrator and run filemon and
> regmon from www.sysinternals.com. Then logon as a limited
> user and run the problem app to see what areas of the file
> system or registry it is being denied access to.
>
> Some applications can be a pain to get working properly
> with limited permissions, but almost all will work. Others it
> is a combination of permissions and setting the application's
> data/save locations to different than default.
>
> If you have a specific app that you can't figure out, post
> here and someone will help you.
>
> Thanks.
>
> -TP
>
> paul wrote:
> > The Domain Users group is a member of the build in Users, that's it.
> > Yes the TS is a member server, Authenticated Users is added to the
> > local Admin group to give users local admin rights. We did this to
> > solve some software issues. Would this be related to our printer
> > issue and how? Where could I check again where we set the Permission
> > Compatibility to?? Thanks for helping out, greatly appreciated.
> >
> > Paul
> >
>
>
>
.

Relevant Pages

  • Re: Windows Server 2003 Auto connect printers;
    ... Users who are Administrators are able to see ... software applications functioning properly with limited ... You do this by granting only those permissions that are ... > The Domain Users group is a member of the build in Users, ...
    (microsoft.public.win2000.termserv.apps)
  • Re: Bulk edit of registry key permissions
    ... I have a bunch of registry keys that have absolutely no permissions on ... This is causing errors when installing / uninstalling ... applications such as QuickTime, iTunes, etc. ...
    (microsoft.public.windowsxp.general)
  • XP Admininstor Permissions...
    ... Somehow I've lost access to my Administrators ... permissions, which is where I've always accessed my ... applications, my documents, etc. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Shared permissions vs. security
    ... Did you have to make the users power users or administrators only after you ... write/modify permissions to a folder if that is what they need to do their ... -- Verify that membership in the administrators group on all computers is ... updates at Windows Updates. ...
    (microsoft.public.win2000.security)
  • RE: Access Denied when running RSoP
    ... The launch and activation security descriptor for the COM Server application ... It contains Access Control Entries with permissions that are ... which is a part of the McAfee Common ... > Administrators - Full Control - This namespace and subnamespaces ...
    (microsoft.public.windows.server.sbs)