Re: Question on software install and event log security

When you add a user to the local administrators group then yes they are all
powerful on the computer. You might be able to avoid such by publishing or
assigning .msi software packages to the users or computers which will allow
those packages to be installed without the user being local administrator.
If that is not an option for some reason one thing I think you could try is
to modify the user right for "manage auditing and security log" by removing
administrators group and possibly adding specific domain global group or
domain admins. You would want to do such at the domain/OU level so that the
local administrator could not change that user right via Local Security
Policy. Note that local administrators can unjoin a computer from the
domain and possibly rejoin it up to ten times. --- Steve



"Tommy Nguyen" <tommyboy_nguyen@xxxxxxxxxxx> wrote in message
news:%23qCkclFaFHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
> Hello all,
>
> I must meet two requirements:
>
> 1. Files and folders are audited so therefore the audit trails (event
> logs) must be available to administrators only.
> 2. All users must be able to install software on all computers,
> including servers.
>
> Goal #2, can be easily implemented by adding the Domain User group to the
> local administrator group, therefore allowing all users to install
> software.
> However by adding them to the local administrator group they are allowed
> to
> view the security event log.
>
> I have looked into group policy but have not found the appropriate
> policies
> that will allow me to meet these requirements.
>
> I am at a road block as to how to implement both of these requirements. I
> have searched and have not found the answer. Can someone please point me
> in
> the right direction. Thanks.
>
> Tommy
>
>


.

Relevant Pages

  • Re: Question on software install and event log security
    ... to install software continuously throughout the day. ... The policy only allows. ... > those packages to be installed without the user being local administrator. ... >> However by adding them to the local administrator group they are allowed ...
    (microsoft.public.windows.group_policy)
  • Re: Question on software install and event log security
    ... There is no deny user right for manage auditing and security log but if the ... install all .msi packages even if the user is not a local administrator. ... >> local administrator could not change that user right via Local Security ... >>> local administrator group, therefore allowing all users to install ...
    (microsoft.public.windows.group_policy)
  • Re: Local Administrator
    ... I also found a VB script that adds to the local administrator account. ... only works from a W2K or 2003 server? ... What I need is the users to have, ocasionally, local admin rights ... remove the domain group from the local administrator group. ...
    (microsoft.public.windows.server.active_directory)
  • RE: To remove IUSER from admin group
    ... If you remove the IUsr account from the administrators grop, ... > add IUSER account in local administrator group it works fine.Everyone has ...
    (microsoft.public.inetserver.iis)
  • Re: add new hardware security
    ... Double check that you actually are logged on as a local administrator. ... If that checks out then somehow some of your security ... When I try to install my USB camera W2K ...
    (microsoft.public.win2000.security)