Re: Manage Workstation Rites

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance



In news:AD84C6FC-3BCF-4FC3-AB6C-493C02BB639F@xxxxxxxxxxxxx,
Atom Ant <AtomAnt@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
I figured as much, Maybe Power User will be enough to satisfy my
needs and not leave my systems wide open, then lock up with group
policy.

Can power user work around Group Policy controls?

I guess it depends what you put in them. You might try posting in
microsoft.public.windows.group_policy - there's probably a way to let the
users do what you need them to do while being in the local users group only.

I want users to have ability to add/remove printers

Local printers? Are these laptops or something? If not, remember that
ordinary end users can install *network* printers by default.

but not software.
I also have a script currently that adds the user name to the computer
description at login, Power user should be enough rites for that
right?

I hope you mean rights, as otherwise I'm going to wonder whether you're
celebrating mass in your office!


"Lanwench [MVP - Exchange]" wrote:



In news:E6558136-B0B7-413E-BB1A-DDAEEA9EECC9@xxxxxxxxxxxxx,
Atom Ant <Atom Ant@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
I have a 2003 AD with XP and 2000 workstations.
I would like suggestions on how to manage end user's rites to their
systems. Currently I have all domain users with local admin rites to
the workstations.

I would like to keep users with local admin rites but limit their
ability to install software modify settings etc. Some applications
just work better if the end user had admin rites.

Can anyone suggest a Group Policy scheme to accomplish my goals?

The first thing is, you need to re-consider leaving users in the
local admin group. What's the justification for this? Why do they
need it? If the users are only limited users, 90% of your problems
go away. If you have applications that fuss if the user doesn't have
admin rights, a) yell at the software developer and b) look into
where the app needs write access - you can use FileMon and RegMon at
www.sysinternals.com for help.

That said, you can lock down a lot of things with group policy - you
can even specify a list of applications they're allowed to run - but
this can get to be a huge PITA. And unless you take away the users'
admin rights, a lot of what you try to control centrally, won't be
of much use.


.

Relevant Pages

  • Re: Exempting a Computer from Application of Group Policy?!
    ... with local admin credentials creates a local admin account for themselves, ... they logon with that account they will not have user configuration applied to them. ... Computer configuration for Group Policy will apply regardless of if domain or local ...
    (microsoft.public.win2000.security)
  • Re: Manage Workstation Rites
    ... Atom Ant typed: ... I would like suggestions on how to manage end user's rites to their ... I would like to keep users with local admin rites but limit their ... Can anyone suggest a Group Policy scheme to accomplish my goals? ...
    (microsoft.public.windows.server.active_directory)
  • Wallpaper and desktop policy
    ... Do you currently have a group policy? ... User Config> Admin Templates> Desktop. ... As for the local admin, go to control panel and under ...
    (microsoft.public.win2000.group_policy)
  • Re: local computer admins
    ... The short answer is that you don't do this with group policy. ... You could use a startup script that is sensitive to which machine ... > administrators group on users pcs. ... The problem here is that everyone in that group gets local admin to ...
    (microsoft.public.win2000.active_directory)
  • Re: local computer admins
    ... The short answer is that you don't do this with group policy. ... You could use a startup script that is sensitive to which machine ... > administrators group on users pcs. ... The problem here is that everyone in that group gets local admin to ...
    (microsoft.public.windows.group_policy)