Re: Must all users be administrators?

From: Dave (newsATfureyDOTnet)
Date: 05/20/04

• Next message: David Jones [MSFT]: "Re: Certificate Services"
• Previous message: Neil Konouchi: "Re: Seriously frustrating DNS problem"
• In reply to: Dave Nickason [SBS MVP]: "Re: Must all users be administrators?"
• Next in thread: Anna Clark: "Re: Must all users be administrators?"
• Reply: Anna Clark: "Re: Must all users be administrators?"
• Messages sorted by: [ date ] [ thread ]

Date: Fri, 21 May 2004 07:53:03 +1000

Correct me if I am wrong, but GROUP POLICIES override this (local admin can
do anything) capability!

I have one workstation that has a user as Administrator (workstation) and I
have restricted them to the extreme via group policies. They cannot
install/add/remove anything, they can't save to desktop, can't change screen
saver or background etc. The can't even see their C: drive.

The user can't login locally as their DOMAIN account is the one with Admin
privileges.

Dave

"Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in message
news:uXKuDXoPEHA.904@TK2MSFTNGP12.phx.gbl...
> I'm very lucky in this regard to work for a boss who is computer savvy and
> security conscious. He is also quite conscious of the cost of having me
> running around fixing problems all day. If you can get the management
> behind you, the employees will know that they're fighting a losing battle,
> and they'll give up. A couple points:
>
> A user with local admin rights can do anything to a workstation. Think of
> the costs to the company of having a careless user accidentally delete the
> "Documents and Settings" directory, for example, thereby killing the data
of
> all that machine's users. Or, having to pay you to come in and recreate
the
> workstation from scratch because someone blew up the OS.
>
> A user with admin rights can install anything - forget about the annoying
> screen savers and the time wasted on games. How about viruses, trojans,
> keystroke logging software, back doors, spyware, and any of a variety of
> other types of malware.
>
> How about the damage that could be done by a malicious user? Bypassing
AV?
> Kazaa? Illegal activities exposing the company to liability? Theft of
> company data?
>
> I have two categories of users - the owner, who installs a variety of
> shareware apps, unsupported add-ins, etc. and has constant computer
> problems. And everyone else - power users whose only installations are
> controlled by SUS, who generally have no problems at all.
>
>
> "Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
> news:uE3OCBhPEHA.2468@TK2MSFTNGP11.phx.gbl...
> > Hi Dave:
> >
> > You are probably right on with this solution, but there is still the
> > larger
> > question of young agressive 20 to 30 year olds that grew up with
computers
> > wanting to do what ever they want with "their" computers.
> >
> > Making them Administrators seems to keep them quiet, but then
applications
> > get removed, printers disappear, and all kinds of "unapproved" apps get
> > installed on the computers.
> >
> > There must be a way to control this.
> >
> > Anna
> >
> >
> > "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
> > message
> > news:%23judI$cPEHA.3044@TK2MSFTNGP10.phx.gbl...
> >> What happens if you go into the security settings of the folder in
> > question,
> >> and give whatever permission Administrators have to Authenticated
Users?
> >> Theoretically, that would solve the problem.
> >>
> >> I ran into this with a program from the abstract company, where it
wanted
> > to
> >> write files to the workstations' root directory. I asked them to
change
> >> their program to write to a directory under Documents and Settings
rather
> >> than give the users write permissions to the root directory. They were
> >> willing to rewrite their program knowing that they were going to run
into
> >> the issue on every default winxp workstation they installed it on.
> >>
> >> IMO giving all users admin rights is an invitation for a disaster.
> >> You'll
> >> have no control over what's installed on the workstations, including
> >> spyware, downloaded trojans, kazaa, shareware, etc.
> >>
> >>
> >> "Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
> >> news:ePYPI%23bPEHA.2580@TK2MSFTNGP09.phx.gbl...
> >> > Hello everyone:
> >> >
> >> > One of my sites has a problem. The are a mortgage broker company and
> > use
> >> > a
> >> > software that requires that they save their loan applications to a
> > folder
> >> > on
> >> > the local workstation.
> >> >
> >> > Unless their domain id is part of the local adminstrators group, they
> >> > cannot
> >> > save the file.
> >> >
> >> > Moreover, it seems to me that to make an end user any less than an
> >> > administrator over the local system is just asking to make trip after
> > trip
> >> > to the site to give disgruntled users permissions to do this and
that.
> >> >
> >> > How do others handle this problem, if it is a problem... or have I
> > missed
> >> > something basic.
> >> >
> >> > I take care of SBS W2K, and SBS 2K3 sites where the clients are XP
Pro
> > or
> >> > W2K Pro and face this issue at all of them.
> >> >
> >> > Thanks for your input.
> >> >
> >> > Anna
> >> >
> >> >
> >>
> >>
> >
> >
>
>

• Next message: David Jones [MSFT]: "Re: Certificate Services"
• Previous message: Neil Konouchi: "Re: Seriously frustrating DNS problem"
• In reply to: Dave Nickason [SBS MVP]: "Re: Must all users be administrators?"
• Next in thread: Anna Clark: "Re: Must all users be administrators?"
• Reply: Anna Clark: "Re: Must all users be administrators?"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint