Re: Restricted Policy [WILDPACKET]

Print operators only exists on servers and for the domain. The print
operators in ADUC will only apply to printer installs on domain controllers.
Power users can install some programs that write to the system folder which
is why they have modify permissions to it though many critical system files
have explicit [instead of inherited] permissions that do not allow power
users to delete or modify them. What you might try is to modify the registry
permission as shown in the link below but instead of print operators add the
user/group that you want to add the printer port. Registry permissions can
be applied via Group Policy if changes need to be implemented on more than a
few computers. Keep in mind that power users can create local computer
accounts which they could logon to avoid domain Group Policy user
configuration and logon scripts. Power users can also create shared folders.

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Print/AllowPrintOperatorstoaddaprinter.html

For Windows XP Pro computers you can also use Software Restriction Policies
via user or computer configuration to restrict what domain users can run and
install on their computers and that can be implemented in a Windows 2000
domain. SRP computer configuration would apply to a power user that logs on
with a domain or local user account. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
--- XP Pro SRP.

"WILDPACKET" <WILDPACKET@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9D71E69F-6DD7-489F-8797-E9477D1BD9BD@xxxxxxxxxxxxxxxx
>I configured users to install/remove device drivers, and made them a Power
> users to install printers locally using a Restricted Group Policy. Also
> made
> that group member of printer operaters.
>
> I noticed they cannot install some programes and can install some
> programs.
> I do not want them to install any program, period.
>
> I know with Power Users they can install some programs which do not damage
> the OS files, right? I want to make sure they cannot install any program
> other than printer drivers.
>
> Is there a way I can make this happen with them being a Power User group
> member?
>
> Please advise.


.

Relevant Pages

  • Re: security
    ... Users must be at least power users on their computers to create shares which of ... course will allow them to install much more software, ... will not give the user the ability to create shares as some believe. ...
    (microsoft.public.win2000.security)
  • Re: Power User Account corrupted?
    ... Are you sure these programs do not need you to be a local administrator? ... If other power users that are not also local administrators can install them ... to folders as powers users on the computers where it works. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Users vs. Power Users
    ... in article 05cb01c2d921$04be8c60$3301280a@phx.gbl, James Raaymakers MCSE at ... > Power Users can install software as long as the software ... > install software like this. ... > Power Users Group. ...
    (microsoft.public.win2000.security)
  • Re: What right allows full access?
    ... ACL to replace any anywhere in the substructure. ... the install drive has many places ... > I would not grant Full access to Power Users group if I could make a copy ... > and checked 'Replace permission entries on all child objects with entries ...
    (microsoft.public.windowsxp.security_admin)
  • Re: What right allows full access?
    ... did when you granted Full to Power Users. ... loaded during install. ... >>> I don't want to run Windows XP as an Administrator because of Viruses ... Log off from the admin account until ...
    (microsoft.public.windowsxp.security_admin)