Re: Problem after removed "domain users" from "local administrator"s g
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Thu, 10 Jul 2008 20:24:53 +0100
Tammy wrote:
Hello all,
We are running SBS 2003 SP1 Premium with approx 14 workstations running Windows XP Pro SP2.
We finally decided to remove the "domain users" group from the "local administrators" group on the workstations and since doing that we have a strange problem happening.
The users can log on the network successfully but then they can not start any programs - as soon as I reverse this setting everything is fine again.
This does not make sense to me - has anyone come across this before? We want this setting to tighten up on security...so users can no longer install applications, etc.
If anyone has any suggestions on how to fix this that would be great!!
Thanks so much in advance!
Tammy
There's more than one possible reason. Some programs simply cannot be used without administrator privileges, ever, which is an excellent reason to switch to software written by competent people.
Some just need one initial access with admin privileges, after which an unprivileged user can run them. Some, if not all, Microsoft Office programs fall into this group. Each user of the software needs to run it once on each machine, with admin privileges. Clearly this isn't the answer in this case.
I've just come across a third type, where the program would work properly for an unprivileged user on a stand-alone computer but not on a domain member machine. In the case of Sage Accounts 50, the user requires read/execute privileges on a couple of files under Program Files, again just once. The Sage installer did set up those privileges, but for the computer Local User group. Domain computers don't have local users, so nobody could run these files. The right answer, in hindsight, was to add Domain Users to the Local Users group. I used the usual brute-force-and-ignorance technique.
It's worth trying that (the right answer) in your case, it might solve the problem. I've never heard of that as being something that connectcomputer does, but it's worth bearing in mind in future when commissioning new workstations.
If that doesn't work, it's probably a matter of getting onto the software vendors, and asking what has to be changed for unprivileged users to run their products, possibly hinting gently that if it can't be done, that's the last version of their software you will consider. There are probably a few file permissions that need to be altered to fix the problem, if they haven't been totally incompetent.
.
- Prev by Date: Re: Traffic Routing and Content Filtering
- Next by Date: Re: SBS Warning: Routable IP Address
- Previous by thread: RE: Problem after removed "domain users" from "local administrator"s g
- Next by thread: Re: SBS Users getting e-mails without Mime Decoding
- Index(es):
Relevant Pages
|
