Re: built-in abilities

From: David Dickinson [MVP] (eis.no-spam@softhome.net)
Date: 05/10/02 

From: "David Dickinson [MVP]" <eis.no-spam@softhome.net>
Date: Fri, 10 May 2002 01:47:19 -0600

Onno Pieters wrote:
> There is a group of users who need to do some tasks.
>
> I want to make a (global or Local) group and give that
> group Advanced user rights and abilities to do the
> folowing tasks.

<snip>

> The only way I can get this to work is that the group must
> be a member of Server Operators AND Account Operators.
>
> But then they can do more then we want, like:
> - Change the system time
> - Force shutdowm from a remote system
> - Add workstations to domain
> - Create and manage user accounts
>
> Is there a way to make a group and give it only the rights
> they need.

You already know that each of these privileges can be enabled or disabled as
needed for specific groups. All you have to do is to create a new group
which has the privileges you want and is denied others. Then make those
users members of that group and of no other more trusted group. 

--
David Dickinson, MVP
EveningStar Information Services
Las Cruces, NM USA
Summary of Microsoft Security Bulletins
http://www.zianet.com/bwd/securitybulletins.asp