Re: Local Groups vs. AD Groups

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

kemics wrote: 
I don't know what this red pill, blue pill crap is but here is your problem:

If you installed the software to the computer with a "Local Admin" account, it will only be available to persons who have the same security levek as this local admin account.

My Suggestion is to add the AD Users group to the Local Admin group on the boxes which this software is installed on. This way they will be able to use it.

If you don't want to grant them this much control. Try adding them to a super users group on the box or something so they can install the software...

In order to use software you have to be the same user security level as the person that installed it.

In most cases this is because this software is requiring to use some registry entry or file to which it doesn't have permission on ordinary user account. This is not a reason to give to the users administrative rights, If You do so You will probably find Yourself into problems with users who are installing software without Your permission ad are working administrative account which is the best way to get Your network infected by some nasty worm.

Instead of giving to the user administrative control over their machines I proposed least privileges configuration. You can use software like netmon and regmon to track resources to which this software require access, then configure appropriate permissions and If You need so You can distribute this permissions to other machines using GPO (and security templates). For me this is the way to go - not putting users in to local admin group.



--
Tomasz Onyszko
http://www.w2k.pl
.

Relevant Pages

  • Re: Alerting - Malicious software removal tool
    ... Plus, much of what the MSRT removes are worms that exploit vulnerabilities in humans, not vulnerabilities in the software -- even a perfect operating system can't protect itself from that. ... I explained that they should not use the Administrator account except in rare cases where "MOM" needed to install an application that she could not install from her/son's accounts, that they were NOT to run anything as the "Administrator" account. ... Security settings would not provide the user with what they needed to run the programs that they wanted to use while protecting them from malware. ...
    (microsoft.public.security.virus)
  • Re: Networking XP home & PRO computers w/Linksys Router
    ... I also have Nortan Internet security and Norton Antivirus. ... > Other bad stuff that you need to defend against is spyware and viruses. ... use of the Guest account ... Don't install software based upon advice from unknown ...
    (microsoft.public.windowsxp.network_web)
  • Re: Basic beginners security for a new mac owner
    ... Social Security number, etc.) (Of course this applies equally to ... Make your main user account a Standard account, ... Whenever you try to install an application program the computer will ask ... Turn on the Firewall that is built into Mac OS X, ...
    (comp.sys.mac.apps)
  • Re: Basic beginners security for a new mac owner
    ... Social Security number, etc.) (Of course this applies equally to ... Make your main user account a Standard account, ... Whenever you try to install an application program the computer will ask ... Turn on the Firewall that is built into Mac OS X, ...
    (comp.sys.mac.apps)
  • Re: SMS 2003 must use domain admin. to install?
    ... You need to add the MEMBER_SERVER$ to the local admin group on the DC. ... you want to publish in AD you have to give the same account full control ... >>> I try to install SMS2003 using advanced security, ...
    (microsoft.public.sms.setup)