Re: Question on software install and event log security

Steven,

That did the trick! Thanks!
The solution was to add the Domain Users group to the local administrators
group and enable the "Manage auditing and security log" attribute in Group
Policy to only apply to Domain admins.

Tommy

"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
news:OLsNKUIaFHA.3840@xxxxxxxxxxxxxxxxxxxxxxx
> There is no deny user right for manage auditing and security log but if
the
> user does not have the user right it is an implicit deny. Try removing
> administrators and adding domain admins or such for example to see if that
> helps. Always install with elevated privileges means that the user can
> install all .msi packages even if the user is not a local administrator.
It
> does not apply to applications that use normal setup.exe for installation
or
> such however. --- Steve
>
> "Tommy Nguyen" <tommyboy_nguyen@xxxxxxxxxxx> wrote in message
> news:OwRKksHaFHA.3536@xxxxxxxxxxxxxxxxxxxxxxx
> > Steve,
> >
> > Thanks for the quick response. I don't thing that publishing or
> > asssigning
> > the software is a ggod solution due to the fact that all users must be
> > able
> > to install software continuously throughout the day. Your suggestion on
> > modifying the user right for "manage auditing and security log" sounded
> > like
> > a good idea untill I noticed that the policy does not have the option to
> > deny a group. The policy only allows. (Hope that made sense).
> >
> > Does anyone know what the policy on Windows Installer where it states
> > "always install with elevated privileges" mean?
> >
> > Tommy
> >
> > "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
> > news:eXW1OTGaFHA.2900@xxxxxxxxxxxxxxxxxxxxxxx
> >> When you add a user to the local administrators group then yes they are
> > all
> >> powerful on the computer. You might be able to avoid such by publishing
> >> or
> >> assigning .msi software packages to the users or computers which will
> > allow
> >> those packages to be installed without the user being local
> >> administrator.
> >> If that is not an option for some reason one thing I think you could
try
> > is
> >> to modify the user right for "manage auditing and security log" by
> > removing
> >> administrators group and possibly adding specific domain global group
or
> >> domain admins. You would want to do such at the domain/OU level so that
> > the
> >> local administrator could not change that user right via Local Security
> >> Policy. Note that local administrators can unjoin a computer from the
> >> domain and possibly rejoin it up to ten times. --- Steve
> >>
> >>
> >>
> >> "Tommy Nguyen" <tommyboy_nguyen@xxxxxxxxxxx> wrote in message
> >> news:%23qCkclFaFHA.2520@xxxxxxxxxxxxxxxxxxxxxxx
> >> > Hello all,
> >> >
> >> > I must meet two requirements:
> >> >
> >> > 1. Files and folders are audited so therefore the audit trails
> > (event
> >> > logs) must be available to administrators only.
> >> > 2. All users must be able to install software on all computers,
> >> > including servers.
> >> >
> >> > Goal #2, can be easily implemented by adding the Domain User group to
> > the
> >> > local administrator group, therefore allowing all users to install
> >> > software.
> >> > However by adding them to the local administrator group they are
> >> > allowed
> >> > to
> >> > view the security event log.
> >> >
> >> > I have looked into group policy but have not found the appropriate
> >> > policies
> >> > that will allow me to meet these requirements.
> >> >
> >> > I am at a road block as to how to implement both of these
requirements.
> > I
> >> > have searched and have not found the answer. Can someone please
point
> > me
> >> > in
> >> > the right direction. Thanks.
> >> >
> >> > Tommy
> >> >
> >> >
> >>
> >>
> >
> >
>
>


.

Relevant Pages

  • Re: Assigning applications to clients with USER GROUP privilege
    ... johnG typed: ... > network they were not able to install frontpage because the desktop ... >>> the client user but the application won't get assigned to a user who ... >> I don't like adding users to the local administrators group. ...
    (microsoft.public.windows.server.sbs)
  • Re: Deployment of software through GPO requires local admin rights?
    ... In the local security policy, there is a user right called "load and unload ... only local administrators have ... > problem with a device driver it installs. ... > install with elevated rights in both the user and computer policy. ...
    (microsoft.public.windows.server.general)
  • Re: October security patches...install failure
    ... I've verified that the account I'm using is in the local administrators ... I am able to install the MS04-030,036,037 and 038 ... > user rights that have been modified from default levels. ... > auditing and security log. ...
    (microsoft.public.win2000.security)
  • Re: Rights on Xp in 2000 Domain
    ... few users could not run MS Access 2000 unless they were a member of the ... local Administrators group. ... > systems Admin group and couldn't do it, ... >> Another idea is for you to install all of the software that they are ...
    (microsoft.public.win2000.active_directory)
  • Re: group policy question
    ... > You need to make sure they are local administrators on the affected ... > workstations in order to be able to install software, ... >> domain admins since there are subsites we do not want them to access, ...
    (microsoft.public.windows.server.sbs)