Re: Granting client local admin access via GPO to logged on user o
- From: ieden <ieden@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Nov 2007 16:06:01 -0800
Of course if you have the time to test, Meinolf's answer would be best.
"Meinolf Weber" wrote:
Hello jmedd,.
A remark to the reason, we use round 150 different applications (commercial
and not commercial) on windows 2000 and no user needs administrator rights
to run them. With filemon and regmon you can find the file's and geristry
key's where they need more rights. Better change them via GPO or with login
scripts, so that they are still normal users.
How often have they to install printers? Is it really needed to be admin
always or is it possible for you to make the install for them?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm
Thanks for the reply.
The difference is that they only need to be admin on the machine they
use to do things like run certain applications which need admin
rights, install printers etc.
The downside with the way we currently have this setup is that anyone
with half a brain can consequently get access to the local drives on
any other client machine. Although users are advised not to store data
on their local machines there's a long standing culture here where
they still do so there's a potential security concern of being able to
access someone else's data.
So I only want them to have local admin rights on the machine they
use. There's very little (if any at all) concept of people sharing
machines, i.e. a machine issued to one person is typically only used
by that person.
Hopefully that makes sense.
"Danny Sanders" wrote:
Obviously this means that anybody has admin access to any machine.I'm not seeing the difference. When a user logs into a computer they
What I would like to be able to achieve is the logged on user should
only have admin access to the machine they are currently using.
are made administrator of that machine. If they log into another
machine you want them to be admin there also.
What is the problem with them having admin access to "any machine",
when you allow them to log onto "any machine" and give them admin
access on "any machine" they are using?
If they *need* admin access to do their job on one machine, and they
access
that machine remotely, they are going to need admin access to the
remote
machine to do their job.
If they can do their job remotely and they don't need admin access to
do
their job remotely, they probably don't need admin access to do their
job
when logging in locally to that same machine.
DDS
"jmedd" <jmedd@xxxxxxxxxxxxxxxx> wrote in message
news:1BDB007C-E564-4DCE-BDA6-2B08FC04A1E4@xxxxxxxxxxxxxxxx
We need to give our users local admin access to their client 2000 /
XP
machines and currently this is done via a GPO which adds a
'LocalAdmin
Access' domain based group to the local administrators group. Users
are
then
added to the domain based group.
Obviously this means that anybody has admin access to any machine.
What I would like to be able to achieve is the logged on user should
only have admin access to the machine they are currently using.
Does anyone have a suggestions how this could be done via GPO?
Thanks
- Follow-Ups:
- References:
- Re: Granting client local admin access via GPO to logged on user only
- From: Danny Sanders
- Re: Granting client local admin access via GPO to logged on user o
- From: jmedd
- Re: Granting client local admin access via GPO to logged on user o
- From: Meinolf Weber
- Re: Granting client local admin access via GPO to logged on user only
- Prev by Date: Re: Unable to bind to ADAM using windows account
- Next by Date: Upgraded to AD03 cannot browse
- Previous by thread: Re: Granting client local admin access via GPO to logged on user o
- Next by thread: Re: Granting client local admin access via GPO to logged on user o
- Index(es):
Relevant Pages
|
