Re: Power User Privilages XP/2000

Or, how would I modify the user group to just be able to install software?

"Ben Chi" wrote:

Thanks Roger...

Quick question...

Can I set up a group to just be able to do everything but mess with the user

"Roger Abell [MVP]" wrote:

"Ben Chi" <BenChi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Thanks for all your Help Roger,

Quick question, there's no way to take compmgmt.msc privliages away from
Power users?

Interesting question, from a couple angles.
First, although group policy allows one to control mmc tools
available to users, differentially by which users, Power Users
however is the machine local Power Users the membership of
which is neither always only domain account nor predictable.
Second, compmgmt.msc is actually a collection of other mmc
snapins which the accounts could access by building custom
mmc consoles and adding them.
Third, if the specific capabilities that you want them to not
have, and from which you ask about disallowing compmgmt.msc
access, are granted to them as Power Users, then they could
easily find other ways to do most things (script, third-party
tools/utilities, reskit, etc.).
So, in short, no, I do not believe there is a simple way to
get to what I think is your objective. Software restriction
policy and use of the group policy settings that control mmc
tool availability could get you part way there, but with some
major effort.

"Roger Abell [MVP]" wrote:

"Ben Chi" <BenChi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

"Roger Abell [MVP]" wrote:

"Ben Chi" <Ben Chi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Is there anyway to modify Group Policies for Power Users on both XP
The only thing I've been able to find on XP is in the Local Security
Settings, but wat I'm looking for isn't in there. I want to be able
modify Power Users so that they aren't able to create user accounts
change accounts to a higher access account (i.e. admin). I
if I wanted to do that I should just make a user account, but then
account doesn't have sufficient privilages.

If you understand what I'm trying to get at, any help would be

You understand correctly. Some grants to PU may are
wired beyond normal means of configurability.

What is insufficient with a limited account?
That can often be worked out.


Well here's the deal. I've been trying to configure the settings on my
Domain Controller by creating a group called "PowerTester". What I
group to do is have the rights of the PU group except be able to config
and add Users. Now, with all my tinkering, I have yet to figure out
how I
can be able to do this. I've spent half a day looking in the GPO, but

Now, my question would be, is there any possible way for me to create a
group that has all the rights as a PU <i>except</i> rights to the User
settings section?

Thanks in Advance,
Ben Chi


There is no way. Server Operator carries some things, but
no, I do not know of a way to do that. I believe MS has not
invested effort to make it possible since, on a domain controller,
giving out more than just user (like allowing right to install
software or drivers) is essentially giving away enough to let
that account make itself a Domain Admins member.
Now, you can make the account a member of Administrators
in the domain and that gives them full control over the DC,
but not over AD (and hence its users and groups).

There is a chance that what you were saying is that you
want to make some account(s) like Power Users on some
set of client systems, rather than saying you want to make
them have these rights on the DC(s). The same comments
apply, that PU allows elevation to admin; but you could
use GPO settings to make a custom group of domain users
members of PU on that set of machines.