Re: GPO Best Practice

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 10/19/04 

Date: Mon, 18 Oct 2004 19:40:43 -0700

Peachtree can run in user rights?

www.threatcode.com check out the tools on that site to wack registries
so EVERYONE can run as usermode.

Andre wrote:
> My GPO for updates problem is now fix, thanks to all
>
> Now, On my server I have installed the followings;
>
> SUS
> SQL Server
> ISA
>
> our WS are all XP's SP2
>
> What would be a "best Practice" for the follwings rights;
>
> 1- No One can install any softwares unless approved by the System Manager
> 2- No One can install UnApproved Active-X or whatever from IExplorer unless
> approbed by System Manager (or from Intranet)
> 3- No One can run any sort of Games,
> 4- Everyone has Access to MSN Messenger for chat but not downloads other
> than Images or a way to filter downloads
> 5- Only Internet Uses has access to Internet other than MSN Messenger, Skype
> and allowed External Web Sites.
> 6- Force Logout of idle some idle users so WS is available to others after a
> time limit after WS is locked
> 7- All SUS updates are installed at night without confirmations by the
> users, and NOT during day time.
> 8- All Applications assigned by System Administrator are installed without
> user confirmations and via User Limited Account. So far I get user has not
> enought priviledge to install this application.
> 9- No One, except a certain group has Administrative right on the local WS.
> ..
>
> So basically, very simple, I want everyone to run in limited rights, but
> certain groups need the following
> 1- AccoutingGroup, using Peachtree need PowerUser rights (I know this is
> sucks, but Peachtree wont run otherwise!)
> 2- Office Group, Can write to WIN.INI (this is for roomMaster that requires
> to modify this file, as well as one registry)
>
> The resaon for this is simple, most of our users are computer illeterate and
> foul too much around and install anything...which give me headakes and
> prevent me from going Diving every day :-(
>
>
> Thanks
> Andre
>
>

Relevant Pages

  • Re: how to do this?
    ... >> time limit after WS is locked ... >> user confirmations and via User Limited Account. ... >> enought priviledge to install this application. ...
    (microsoft.public.windows.group_policy)
  • Re: In need of .NET advocacy
    ... * The resistance of people to install the .NET framework. ... believe what stories they come up in order not to install it. ... * At this moment installing the .NET framework is far too complicated. ... code so it does have access to the user rights. ...
    (microsoft.public.dotnet.general)
  • Re: In need of .NET advocacy
    ... > believe what stories they come up in order not to install it. ... > program needs internet and/or LAN access. ... > code so it does have access to the user rights. ...
    (microsoft.public.dotnet.general)
  • Re: Uninstalling Windows messenger
    ... >> Depends how you are running your network, but why not restrict their ... >> user rights so they can't install programs? ... Under a limited account the user cannot "always install ... I'm not a big fan of restricting user rights, but in the context of the ...
    (microsoft.public.windowsxp.messenger)
  • RE: Symantec LiveUpdate and User Rights on Win2000
    ... You can add the users to the power users group. ... virus definitions. ... they are no longer able to install AV definitions through the LiveUpdate ... Trojan/virus has less of a chance of being initialized under user rights, ...
    (Security-Basics)