Re: Must all users be administrators?
From: Anna Clark (this)_at_verizon.net)
Date: 05/21/04
- Next message: Roger Crawford: "SQL Question"
- Previous message: Paul Marshall: "Email send error"
- In reply to: Dave: "Re: Must all users be administrators?"
- Next in thread: Jeff Middleton [SBS-MVP]: "Re: Must all users be administrators?"
- Reply: Jeff Middleton [SBS-MVP]: "Re: Must all users be administrators?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 21 May 2004 08:31:30 -0400
Hi Dave:
I appreiciate your input on this.
Can you explain more?
For example, I wonder why this use has admin privlidges without the benefit?
Why not just make this user a user or power user?
Anna
"Dave" <newsATfureyDOTnet> wrote in message
news:OO7bLTrPEHA.3456@TK2MSFTNGP11.phx.gbl...
> Correct me if I am wrong, but GROUP POLICIES override this (local admin
can
> do anything) capability!
>
> I have one workstation that has a user as Administrator (workstation) and
I
> have restricted them to the extreme via group policies. They cannot
> install/add/remove anything, they can't save to desktop, can't change
screen
> saver or background etc. The can't even see their C: drive.
>
> The user can't login locally as their DOMAIN account is the one with Admin
> privileges.
>
> Dave
>
> "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
message
> news:uXKuDXoPEHA.904@TK2MSFTNGP12.phx.gbl...
> > I'm very lucky in this regard to work for a boss who is computer savvy
and
> > security conscious. He is also quite conscious of the cost of having me
> > running around fixing problems all day. If you can get the management
> > behind you, the employees will know that they're fighting a losing
battle,
> > and they'll give up. A couple points:
> >
> > A user with local admin rights can do anything to a workstation. Think
of
> > the costs to the company of having a careless user accidentally delete
the
> > "Documents and Settings" directory, for example, thereby killing the
data
> of
> > all that machine's users. Or, having to pay you to come in and recreate
> the
> > workstation from scratch because someone blew up the OS.
> >
> > A user with admin rights can install anything - forget about the
annoying
> > screen savers and the time wasted on games. How about viruses, trojans,
> > keystroke logging software, back doors, spyware, and any of a variety of
> > other types of malware.
> >
> > How about the damage that could be done by a malicious user? Bypassing
> AV?
> > Kazaa? Illegal activities exposing the company to liability? Theft of
> > company data?
> >
> > I have two categories of users - the owner, who installs a variety of
> > shareware apps, unsupported add-ins, etc. and has constant computer
> > problems. And everyone else - power users whose only installations are
> > controlled by SUS, who generally have no problems at all.
> >
> >
> > "Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
> > news:uE3OCBhPEHA.2468@TK2MSFTNGP11.phx.gbl...
> > > Hi Dave:
> > >
> > > You are probably right on with this solution, but there is still the
> > > larger
> > > question of young agressive 20 to 30 year olds that grew up with
> computers
> > > wanting to do what ever they want with "their" computers.
> > >
> > > Making them Administrators seems to keep them quiet, but then
> applications
> > > get removed, printers disappear, and all kinds of "unapproved" apps
get
> > > installed on the computers.
> > >
> > > There must be a way to control this.
> > >
> > > Anna
> > >
> > >
> > > "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
> > > message
> > > news:%23judI$cPEHA.3044@TK2MSFTNGP10.phx.gbl...
> > >> What happens if you go into the security settings of the folder in
> > > question,
> > >> and give whatever permission Administrators have to Authenticated
> Users?
> > >> Theoretically, that would solve the problem.
> > >>
> > >> I ran into this with a program from the abstract company, where it
> wanted
> > > to
> > >> write files to the workstations' root directory. I asked them to
> change
> > >> their program to write to a directory under Documents and Settings
> rather
> > >> than give the users write permissions to the root directory. They
were
> > >> willing to rewrite their program knowing that they were going to run
> into
> > >> the issue on every default winxp workstation they installed it on.
> > >>
> > >> IMO giving all users admin rights is an invitation for a disaster.
> > >> You'll
> > >> have no control over what's installed on the workstations, including
> > >> spyware, downloaded trojans, kazaa, shareware, etc.
> > >>
> > >>
> > >> "Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
> > >> news:ePYPI%23bPEHA.2580@TK2MSFTNGP09.phx.gbl...
> > >> > Hello everyone:
> > >> >
> > >> > One of my sites has a problem. The are a mortgage broker company
and
> > > use
> > >> > a
> > >> > software that requires that they save their loan applications to a
> > > folder
> > >> > on
> > >> > the local workstation.
> > >> >
> > >> > Unless their domain id is part of the local adminstrators group,
they
> > >> > cannot
> > >> > save the file.
> > >> >
> > >> > Moreover, it seems to me that to make an end user any less than an
> > >> > administrator over the local system is just asking to make trip
after
> > > trip
> > >> > to the site to give disgruntled users permissions to do this and
> that.
> > >> >
> > >> > How do others handle this problem, if it is a problem... or have I
> > > missed
> > >> > something basic.
> > >> >
> > >> > I take care of SBS W2K, and SBS 2K3 sites where the clients are XP
> Pro
> > > or
> > >> > W2K Pro and face this issue at all of them.
> > >> >
> > >> > Thanks for your input.
> > >> >
> > >> > Anna
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>
- Next message: Roger Crawford: "SQL Question"
- Previous message: Paul Marshall: "Email send error"
- In reply to: Dave: "Re: Must all users be administrators?"
- Next in thread: Jeff Middleton [SBS-MVP]: "Re: Must all users be administrators?"
- Reply: Jeff Middleton [SBS-MVP]: "Re: Must all users be administrators?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
