Re: How to create"admin" acct w/o user add/delete
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/07/05
- Next message: Steven L Umbach: "Re: Win 2k Server -> mms:// -> Port Pool"
- Previous message: Steven L Umbach: "Re: Seting up encryption HOWT"
- In reply to:(deleted message) Bob: "Re: How to create"admin" acct w/o user add/delete"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 7 Oct 2005 10:04:59 -0500
In my opinion the fact that it is not a domain does not diminish the impact
or damage a user can do being an administrator on their own computers and
possibly impact other computers on the network. Such a user is much more
likely to have a lot of spyware and introduce a backdoor or worm into the
network and they can reconfigure or disable antivirus software, personal
firewalls, tcp/ip settings, change passwords on their computer only, etc.
Having said that there are certainly business and political reasons in cases
to make a user a local administrator and not all users are malicious or
overly curious. That is a call you have to make. You can also use Group
Policy on a local computer via gpedit.msc though by default it will apply to
all users on the computer which can make it difficult to manage though one
solution would be to use a remote computer on the network to manage Group
Policy via the mmc snapin for Group Policy editor and navigate to the
computer you want to manage assuming someone did not change your
administrator password. For Windows XP MS has released the Shared Computer
Toolkit [ hooray!] that makes it much easier to give different lockdown
settings to users on the same computer though again locking down a user that
is a local administrator that is allowed to install applications can not
really be done effectively depending on the skills and intentions of the
user and MS discusses this in the documentation. Often users post in this
newsgroup that also use XP so if that is the case for you be sure to check
it out at the link below. --- Steve
http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx
"Bob" <uctraing@ultranet.com> wrote in message
news:h36ak15cecvo1mjucj6fra09fhhc5aagja@4ax.com...
> On Wed, 5 Oct 2005 18:37:33 -0500, "Steven L Umbach"
> <n9rou@n0-spam-for-me-comcast.net> wrote:
>
>>Ultimately you can not do that and just to make it clear users do not need
>>to be domain administrators to do what you want - but local administrators
>>on their domain computers if you are talking about an Active Directory
>>domain.
>>
>>If the software applications are .msi packages you can use Group Policy
>>Software Installation to assign or publish .msi packages so that regular
>>users can have them installed without administrator intervention.
>>
>>You can however configure the computer with Group Policy restrictions for
>>the user to prevent access to the command prompt, edit the registry,
>>prevent
>>access to .msc files used my mmc snapins, etc in an attempt to restrict
>>the
>>administrator. For many users this may work just fine as they do not
>>understand the concept of the administrator account nor care about it
>>however a skilled user could most likely bypass restrictions to do the
>>type
>>of damage you are concerned about if they were so inclined. --- Steve
>
> Thanks Steve. That's an informative answer. THese are workgroup, not
> domain machines - which is why I don't mind them being local
> administrators. Any "real" applications are already installed but they
> want to be able to install their own software . It's not a situation
> where I would be able to set up installs for the packages. At the same
> time, I'd prefer them not to go creating more accounts or changing
> passwords that other folks use.
>
> Sounds like I can't have my cake and eat it too though.
>
> Bob
>
>
>
- Next message: Steven L Umbach: "Re: Win 2k Server -> mms:// -> Port Pool"
- Previous message: Steven L Umbach: "Re: Seting up encryption HOWT"
- In reply to:(deleted message) Bob: "Re: How to create"admin" acct w/o user add/delete"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
