Re: Local admin right

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/28/05

• Next message: MCSEGURU: "Re: Fast User Switching in Domain Member mode / Authentication Tic"
• Previous message: Steven L Umbach: "Re: event id 4306"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 27 Sep 2005 18:35:29 -0500

Not really. Local administrators are all powerful on that computer within
what they know how to do with the operating system. Depending on their
knowledge you could use Group Policy user configuration/administrative
templates -- various settings to disable their access to the local user and
groups Management Console, hide Control Panel, command prompt, etc. If you
configure such settings at the domain/OU level they will not apply if the
user logs onto the "local" computer not using a domain account. You can also
use Group Policy Restricted Groups to enforce membership of local computer
groups if you use RG at the OU level which would remove unauthorized members
at the next GP computer configuration refresh on the domain computer. The
links below explains more on how to use RG. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/611.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

"Tu Nguyen" <TuNguyen@discussions.microsoft.com> wrote in message
news:2D503398-E6CB-4131-871D-2947796759DC@microsoft.com...
> Hi to all,
>
> I have a question. I need your help. We granted some employees' network
> account to local admin group to run some applications. However, they have
> used this permission to grant someone else to access that box too. Are
> There
> any ways to restrict them to use local admin right to grant someone
> permission to box? I did test at OU but no luck. Any ideas should be
> appreciated. Thanks.
>
> Tu Nguyen
>
>

---

• Next message: MCSEGURU: "Re: Fast User Switching in Domain Member mode / Authentication Tic"
• Previous message: Steven L Umbach: "Re: event id 4306"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Users adding printers ... When a domain user who is not in local admin group logons on workstation, ... it's not recommended to give user too much permission. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... (microsoft.public.windows.server.sbs) Re: Allowing Anonymous write access only. ... need at least READ permission for login. ... > been set up so that anonymous FTP users have write access only, this> may seem insecure and we do get a certain ammount of hackers or> taggers testing the system by dropping test files and folders onto the> server, but because anonymous users do not have read access they soon> find that they cannot download anything they upload and go elsewhere. ... This is where my problems have started,> I initialy replicated all the IIS setting and NTFS permission from my> NT box on my 2003 box but so far have been unable to achive the same> result, it appaers that I can only grant anonymous write access if I ... (microsoft.public.inetserver.iis.ftp) Re: Yukon schemas ... ALTER to the schema. ... you have to grant create permission to perform the action ... data and to create and alter stored procedures and views that they owned. ... (microsoft.public.sqlserver.security) Re: AppArmor Security Goal ... permission to /home/$user/.mozilla...... ... and grant each user access to only ... two shell scripts (one to start each browser profile) and set the AA policy ... (Linux-Kernel) RE: Share Issues ... Where are the others shares located, in the old domain or new win2k3 ... How do you grant the permission to the "other shares", ... Microsoft Active Directory: Demo 3-Security Translation Wizard ... (microsoft.public.windows.server.migration)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)