Re: Restricted Group - [WILDPACKET]

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"Moajnic" <jastoto@xxxxxxxxxxxxxxxx> wrote in message
news:9E96F229-B95A-464B-9621-52485F8C28D9@xxxxxxxxxxxxxxxx
> How would you go about and do this step you mention?
>
> "Todd J Heron" wrote:
>
> > Use the Restricted Group GPO to make them Power Users, which can install
> > printers but are not local admins. This is safer.
> >
> > --
> > Todd J Heron, MCSE
> > Windows Server 2003/2000/NT; CCA
>
> --------------------------------------------------------------------------
--
> > This posting is provided "as is" with no warranties and confers no
rights
> >
> > "WILDPACKET" <WILDPACKET@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:9D2A61D9-BDD1-46EC-98E1-ADD236875EEC@xxxxxxxxxxxxxxxx
> > These users take their notebooks home and then want to use their local
> > printers. They cannot use them because they cannot install without
Admin
> > rights. They do not have any kind of rights locally. They use cached
> > credentials to logon to the note books at home. In the office they can
only
> > install network printers without our intervention.
> >
> > Here are my settings which I have in my test envoirenment on AD 2003:
> >
> > - Created a Group and added Admin and one test user.
> > - Created an OU and linked a GPO to it.
> > - Moved the test PC in the OU.
> >
> > - Edit the GPO and under Restricted Group I added the group which has
Admin
> > and Test user in it.
> >
> > - Under user right assigments - I made this Group member of
> > the Load and Unload device drivers
> >
> > - Under Security Options I "DISABLED" , Prevent Users from installing
> > Printer.
> >
> > Still no go.
> >
> > Please advise.
> >
> > Thank you in advance.
> >
> >
> >
> >


.

Relevant Pages

  • Re: DC Admin question
    ... Not just from the obvious security issues of allowing someone to install a kernel level component but just from the fact that printers can be quite unstable resources, I would be very careful what printers get put on DCs, actually I would prefer no printers on DCs nor even queues, today's corporate printers don't need them, they can do most all of that internal. ... Sure there is for people, but likely the person you aren't giving the enhanced rights to is for some, likely good, reason. ... solutions to the unacceptible obvious one of giving admin. ...
    (microsoft.public.windows.server.security)
  • Re: Should I still buy SBS 2003 Premium w/ ISA in light of XP SP2s ICF2?
    ... Admin rights is a very simple story. ... relying upon the firewall to block accordingly the access to workstations, ... don't have the same level of packet-filtering in your favor that ISA ...
    (microsoft.public.windows.server.sbs)
  • RE: Impact of removing administrative rights in an enterprise running XP
    ... While it is true that you can push out patches and software via group ... reporting mechanisms for software/patch installations whatsoever. ... Quite often, the admin rights are ...
    (Focus-Microsoft)
  • Re: Impact of removing administrative rights in an enterprise running XP
    ... the network admin is "Admin" of the network... ... they should only have/need the appropriate rights for their role in the firm. ... reporting mechanisms for software/patch installations whatsoever. ...
    (Focus-Microsoft)
  • Re: Impact of removing administrative rights in an enterprise running XP
    ... You can easily install patches without admin rights... ... WSUS can push out patches and the workstations do not need admin rights. ... Yes, there are success stories, but it's totally dependent on a managed network. ...
    (Focus-Microsoft)