RE: local admin vs group policy and apps...

From: Robert Jandacek (rjandacek_at_horizononline.com)
Date: 01/18/05

  • Next message: Danny: "Re: IIS6 on W2k3 DCs"
    Date: Tue, 18 Jan 2005 09:21:56 -0700
    To: "Bruce K. Marshall" <bkmlstsgohere@comcast.net>, "Murad Talukdar" <talukdar_m@subway.com>, <focus-ms@securityfocus.com>
    
    

    The link is actually here:

    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
    CF3CC921-9B8E-4266-A905-2E2A20217CE0

    Robert Jandacek
    Horizon IT Dept.

    -----Original Message-----
    From: Bruce K. Marshall [mailto:bkmlstsgohere@comcast.net]
    Sent: Tuesday, January 18, 2005 6:31 AM
    To: Murad Talukdar; focus-ms@securityfocus.com
    Subject: Re: local admin vs group policy and apps...

    Murad,

    I would recommend looking at the following tool, called the Elevated
    Privileges Application Launcher (epal), from Microsoft:

    http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/e
    pal.mspx

    It should allow you to run your applications as a member of the
    Administrators without explicitly granting the end user the same
    privileges.

    ----
    Bruce K. Marshall - bmarshall@securityps.com - 913-484-7233
    Security Professional Services, Inc. - Kansas City
    ----- Original Message ----- 
    From: "Murad Talukdar" <talukdar_m@subway.com>
    To: <>
    Sent: Thursday, January 13, 2005 9:10 PM
    Subject: local admin vs group policy and apps...
    > Hi,
    > We have two apps (even calling them legacy seems to attribute some
    > undeserved elegance to them) which must run at admin level to function
    > properly. I am trying to find out whether the fact that users are
    allowed 
    > to
    > be local admins, or even given the runas power to run the app can
    still be
    > locked out of control panel etc through GPOs.
    >
    > I mean, if I let people runas then they know the admin password so can
    > rescind any GP settings, can't they? How can I shut that possibility
    out?
    >
    > Yes I have asked for the possibility of then apps being recoded to 
    > function
    > under power users but the development team are of the starving waif 
    > variety
    > due to under resourcing...this consideration is not high on the list.
    >
    > Kind Regards
    > Murad Talukdar 
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Danny: "Re: IIS6 on W2k3 DCs"

    Relevant Pages

    • Re: local admin vs group policy and apps...
      ... Administrators without explicitly granting the end user the same privileges. ... local admin vs group policy and apps... ... > We have two apps (even calling them legacy seems to attribute some ... or even given the runas power to run the app can still be ...
      (Focus-Microsoft)
    • Re: Exempting a Computer from Application of Group Policy?!
      ... with local admin credentials creates a local admin account for themselves, ... they logon with that account they will not have user configuration applied to them. ... Computer configuration for Group Policy will apply regardless of if domain or local ...
      (microsoft.public.win2000.security)
    • RE: local admin vs group policy and apps...
      ... local admin vs group policy and apps... ... or even given the runas power to run the app can still be ... Yes I have asked for the possibility of then apps being recoded to function ... under power users but the development team are of the starving waif variety ...
      (Focus-Microsoft)
    • Re: Manage Workstation Rites
      ... Atom Ant typed: ... I would like to keep users with local admin rites but limit their ... Can anyone suggest a Group Policy scheme to accomplish my goals? ...
      (microsoft.public.windows.server.active_directory)
    • Wallpaper and desktop policy
      ... Do you currently have a group policy? ... User Config> Admin Templates> Desktop. ... As for the local admin, go to control panel and under ...
      (microsoft.public.win2000.group_policy)