RE: local admin vs group policy and apps...

From: Stegman, William (Bill.Stegman_at_transcore.com)
Date: 01/14/05

  • Next message: James Riden: "Re: IIS6 on W2k3 DCs" 
    Date: Fri, 14 Jan 2005 15:01:28 -0500
To: "Murad Talukdar" <talukdar_m@subway.com>

    If you're using Active Directory, gpo's at the ou level could not be rescinded by a local admin account. If a normal user logs in with their domain account, all the site/domain/ou gpo's relevant to that computer and user would apply. The gpo setting, prohibit access to the control panel, is only available under the user configuration, and reads that disabling it prohibits users from starting the control panel. I've tested this and when you try a runas with the local admin account, the control panel does not open.

    -----Original Message-----
    From: Murad Talukdar [mailto:talukdar_m@subway.com]
    Sent: Thursday, January 13, 2005 10:11 PM
    To: focus-ms@securityfocus.com
    Subject: local admin vs group policy and apps...

    Hi,
    We have two apps (even calling them legacy seems to attribute some
    undeserved elegance to them) which must run at admin level to function
    properly. I am trying to find out whether the fact that users are allowed to
    be local admins, or even given the runas power to run the app can still be
    locked out of control panel etc through GPOs.

    I mean, if I let people runas then they know the admin password so can
    rescind any GP settings, can't they? How can I shut that possibility out?

    Yes I have asked for the possibility of then apps being recoded to function
    under power users but the development team are of the starving waif variety
    due to under resourcing...this consideration is not high on the list.

    Kind Regards
    Murad Talukdar

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: James Riden: "Re: IIS6 on W2k3 DCs"

    Relevant Pages

    • RE: How to block users from installing other apps
      ... How to block users from installing other apps ... and add their domain account to the local admin group. ...
      (Focus-Microsoft)
    • RE: local admin vs group policy and apps...
      ... what every user needs access to--whether to modify or read etc. ... It also appears that as one of the apps is two programs 'married' together ... local admin vs group policy and apps... ... The gpo setting, prohibit access to the control panel, ...
      (Focus-Microsoft)
    • Re: Risks of Local Admin Access on Domain PC?
      ... but I won't support apps that won't play by the rules :-) ... > Quickbooks versions earlier than 99 - need local admin ... > Tax software programs - think they need local admin ... Log in as Administrator, ...
      (microsoft.public.security)
    • RE: How to block users from installing other apps
      ... I would find out why they need local admin rights, setup up security audits ... and lock down the box and run through the apps till you get a complete map ... How about a locked down / minimal Terminal Server with Local Admin ...
      (Focus-Microsoft)
    • Re: local admin vs group policy and apps...
      ... Administrators without explicitly granting the end user the same privileges. ... local admin vs group policy and apps... ... > We have two apps (even calling them legacy seems to attribute some ... or even given the runas power to run the app can still be ...
      (Focus-Microsoft)