Re: Admin account

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/13/04

• Next message: Chris Clarke: "HELP Logging on logs me off"
• Previous message: Scott Harding - MS MVP: "Re: Network + AD = Tighten Security"
• In reply to: anonymous_at_discussions.microsoft.com: "Admin account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 13 Apr 2004 21:27:39 GMT

You can try to use Group Policy for domain users to prevent them form doing such
including adding setup.exe and install.exe to the disallowed Windows Applications
list in user configuration/administrative templates/system and also disabling the
command prompt and registry editing after reading the full explanation first of any
settings you enable but it really is impossible to restrict an administrator if they
know the power of the account. For example if they create a local user account for
themselves, they can logon to that and bypass domain user configuration policy or
unjoin the computer from the domain.

Your best approach would be to find a way to remove them from the local
administrators group - even a power user would be much preferable. You may also try
top contact the software publisher to lean on them for ways to modify ntfs/registry
permission to allow a regular user to use their application. It may be possible to do
it yourself by using free tools from SysInternals such as filemon and regmon. You
would have to logon as a regular user, then use runas to invoke filemon and then view
the log to see where permissions denied access to a file, make necessary changes and
try again. See the link below on where to get those tools. --- Steve

http://www.sysinternals.com/

<anonymous@discussions.microsoft.com> wrote in message
news:1787201c42189$c3792870$a001280a@phx.gbl...
> We have software installed on clients machine that
> requires Admin rights on the local machine. I am having
> problems with users installing junk, disabling the user
> password on the screen saver and doing things to their PC
> that I do not have control of. Is there anyway that I can
> do to enable the admin rights but control what the users
> do to the pc?

---

• Next message: Chris Clarke: "HELP Logging on logs me off"
• Previous message: Scott Harding - MS MVP: "Re: Network + AD = Tighten Security"
• In reply to: anonymous_at_discussions.microsoft.com: "Admin account"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: exclude laptop from a gpo ... When I made my group policy for the Internet Explorer I have the the scope ... set for Authenciate Users and Domain Users. ... I did mark the SBSLaptops not to inherit. ... So the laptops will not apply the GPO because it has been blocked. ... (microsoft.public.windows.server.sbs) Re: adding a group to local computer ... It happens regardless of which group I add. ... As far as group policy, I was looking through the group policy settings last ... why must all your domain users be local admin? ... (microsoft.public.windows.server.active_directory) Re: OU level ... Do you have to be a member of domain users in order to ... the new ou which I setup a group policy. ... for users and the old users have the same group policy. ... (microsoft.public.win2000.active_directory) Group Policy Issue - I Think ... I have a 2003 server domain with xp clients in the domain users group that ... view all the https sites with no problem but then back as a domain user and ... I think this might be a group policy issue but i am not sure. ... (microsoft.public.windows.server.active_directory) Re: Group Policy for WinXP local administrator rights ... give "domain users" admin rights to all workstations, ... will also gain admin rights over the network to other machines. ... > net localgroup administrators %username% /add ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)