Re: Power User Privilages XP/2000
- From: Ben Chi <BenChi@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Feb 2007 10:08:37 -0800
Thanks for all your Help Roger,
Quick question, there's no way to take compmgmt.msc privliages away from
Power users?
"Roger Abell [MVP]" wrote:
"Ben Chi" <BenChi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message.
news:EE969ECC-734E-4AD2-9FC6-6E43421945ED@xxxxxxxxxxxxxxxx
"Roger Abell [MVP]" wrote:
"Ben Chi" <Ben Chi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in messageWell here's the deal. I've been trying to configure the settings on my
news:F9A0BE46-193A-4CCD-9051-99F4CF24EE3C@xxxxxxxxxxxxxxxx
Is there anyway to modify Group Policies for Power Users on both XP and
2000?
The only thing I've been able to find on XP is in the Local Security
Settings, but wat I'm looking for isn't in there. I want to be able to
modify Power Users so that they aren't able to create user accounts and
or
change accounts to a higher access account (i.e. admin). I understand
that
if I wanted to do that I should just make a user account, but then the
user
account doesn't have sufficient privilages.
If you understand what I'm trying to get at, any help would be
appreciated.
You understand correctly. Some grants to PU may are
wired beyond normal means of configurability.
What is insufficient with a limited account?
That can often be worked out.
Roger
Domain Controller by creating a group called "PowerTester". What I want
that
group to do is have the rights of the PU group except be able to config
Users
and add Users. Now, with all my tinkering, I have yet to figure out how I
can be able to do this. I've spent half a day looking in the GPO, but to
no-avail.
Now, my question would be, is there any possible way for me to create a
group that has all the rights as a PU <i>except</i> rights to the User
Accout
settings section?
Thanks in Advance,
Ben Chi
Ben,
There is no way. Server Operator carries some things, but
no, I do not know of a way to do that. I believe MS has not
invested effort to make it possible since, on a domain controller,
giving out more than just user (like allowing right to install
software or drivers) is essentially giving away enough to let
that account make itself a Domain Admins member.
Now, you can make the account a member of Administrators
in the domain and that gives them full control over the DC,
but not over AD (and hence its users and groups).
There is a chance that what you were saying is that you
want to make some account(s) like Power Users on some
set of client systems, rather than saying you want to make
them have these rights on the DC(s). The same comments
apply, that PU allows elevation to admin; but you could
use GPO settings to make a custom group of domain users
members of PU on that set of machines.
Roger
- Follow-Ups:
- Re: Power User Privilages XP/2000
- From: Roger Abell [MVP]
- Re: Power User Privilages XP/2000
- References:
- Re: Power User Privilages XP/2000
- From: Roger Abell [MVP]
- Re: Power User Privilages XP/2000
- From: Roger Abell [MVP]
- Re: Power User Privilages XP/2000
- Prev by Date: Re: Copying the Guests group
- Next by Date: Re: Conflicting info between the global Security Bulletin and some SPi Security Bulletin
- Previous by thread: Re: Power User Privilages XP/2000
- Next by thread: Re: Power User Privilages XP/2000
- Index(es):
Relevant Pages
|
|
