Re: Question on software install and event log security

There is no deny user right for manage auditing and security log but if the
user does not have the user right it is an implicit deny. Try removing
administrators and adding domain admins or such for example to see if that
helps. Always install with elevated privileges means that the user can
install all .msi packages even if the user is not a local administrator. It
does not apply to applications that use normal setup.exe for installation or
such however. --- Steve

"Tommy Nguyen" <tommyboy_nguyen@xxxxxxxxxxx> wrote in message
news:OwRKksHaFHA.3536@xxxxxxxxxxxxxxxxxxxxxxx
> Steve,
>
> Thanks for the quick response. I don't thing that publishing or
> asssigning
> the software is a ggod solution due to the fact that all users must be
> able
> to install software continuously throughout the day. Your suggestion on
> modifying the user right for "manage auditing and security log" sounded
> like
> a good idea untill I noticed that the policy does not have the option to
> deny a group. The policy only allows. (Hope that made sense).
>
> Does anyone know what the policy on Windows Installer where it states
> "always install with elevated privileges" mean?
>
> Tommy
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
> news:eXW1OTGaFHA.2900@xxxxxxxxxxxxxxxxxxxxxxx
>> When you add a user to the local administrators group then yes they are
> all
>> powerful on the computer. You might be able to avoid such by publishing
>> or
>> assigning .msi software packages to the users or computers which will
> allow
>> those packages to be installed without the user being local
>> administrator.
>> If that is not an option for some reason one thing I think you could try
> is
>> to modify the user right for "manage auditing and security log" by
> removing
>> administrators group and possibly adding specific domain global group or
>> domain admins. You would want to do such at the domain/OU level so that
> the
>> local administrator could not change that user right via Local Security
>> Policy. Note that local administrators can unjoin a computer from the
>> domain and possibly rejoin it up to ten times. --- Steve
>>
>>
>>
>> "Tommy Nguyen" <tommyboy_nguyen@xxxxxxxxxxx> wrote in message
>> news:%23qCkclFaFHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
>> > Hello all,
>> >
>> > I must meet two requirements:
>> >
>> > 1. Files and folders are audited so therefore the audit trails
> (event
>> > logs) must be available to administrators only.
>> > 2. All users must be able to install software on all computers,
>> > including servers.
>> >
>> > Goal #2, can be easily implemented by adding the Domain User group to
> the
>> > local administrator group, therefore allowing all users to install
>> > software.
>> > However by adding them to the local administrator group they are
>> > allowed
>> > to
>> > view the security event log.
>> >
>> > I have looked into group policy but have not found the appropriate
>> > policies
>> > that will allow me to meet these requirements.
>> >
>> > I am at a road block as to how to implement both of these requirements.
> I
>> > have searched and have not found the answer. Can someone please point
> me
>> > in
>> > the right direction. Thanks.
>> >
>> > Tommy
>> >
>> >
>>
>>
>
>


.

Relevant Pages

  • Re: Question on software install and event log security
    ... to install software continuously throughout the day. ... The policy only allows. ... > those packages to be installed without the user being local administrator. ... >> However by adding them to the local administrator group they are allowed ...
    (microsoft.public.windows.group_policy)
  • Re: Question on software install and event log security
    ... those packages to be installed without the user being local administrator. ... local administrator could not change that user right via Local Security ... All users must be able to install software on all computers, ... > However by adding them to the local administrator group they are allowed ...
    (microsoft.public.windows.group_policy)
  • RE: Users and Groups
    ... Template of the Users and Computers Wizard. ... even Server assigned Apps applied via Users and Computers on SBS. ... but usually associated with inability to install ... Local Administrator. ...
    (microsoft.public.windows.server.sbs)
  • Re: Power User Account corrupted?
    ... Are you sure these programs do not need you to be a local administrator? ... If other power users that are not also local administrators can install them ... to folders as powers users on the computers where it works. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Migrating sbs 2003 to sbs 2008
    ... solved some install issues...nothing difficult ... assigned new local user to local Administrator group ... When all 5 workstations were done, I disconnected my existing server ... Launch Outlook and import your PST file. ...
    (microsoft.public.windows.server.sbs)