Re: logon/power-users group question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/10/05
- Next message: Bruce Sanderson: "Re: can not take ownership of application data\microsoft\systemcertificates\my in profile folder"
- Previous message: Steven L Umbach: "Re: EFS - Encryption and User Migration"
- In reply to: Altria: "logon/power-users group question"
- Next in thread: Altria: "Re: logon/power-users group question"
- Reply: Altria: "Re: logon/power-users group question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Mar 2005 22:28:55 -0600
Power users by default can do a lot to a computer and have write permissions
to program file and system files folders though you can modify that. Power
users can also create shares if file and print sharing is enabled. Power
users can also create local accounts which means that they could possibly
create a local user account, put it in the power users group, and then logon
to the computer with that account to bypass domain Group Policy for users.
You could try to configure the user right on those domain computers to
include only domain users and administrators which could prevent that.
You can limit logon to domain computers in a couple of ways. In a users
account in AD Users and Computers you can specify which domain computers a
user can logon to. Also you can use the user rights logon locally and deny
logon locally to control who can logon to a domain computer. This can be
done at the local computer level or at the domain or Organizational Unit
level with Group Policy. Be careful with deny user rights as they override
allow user rights and remember that administrators are also members of the
users and everyone groups. The security guide from Microsoft call Threats
and Countermeasures has much more detailed info and can be found at the link
below. --- Steve
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
"Altria" <urbantec92@msn.com> wrote in message
news:%23ktajwNJFHA.2852@TK2MSFTNGP09.phx.gbl...
> Hello All,
> By default, are users of a domain allowed to logon to any workstation
> within the domain?
> If so, how can I limit specific users to only be able to logon to specific
> workstations?
> Also, if users are able to login to any machine with a valid user account
> how does this effect the security on the machine. For example, if group
> policies are applied to specific users and machines based on OU then what
> happens to a user who is not in that OU but in the domain and is able to
> logon to the workstation?
> Finally, a little off-topic, if I set my users to have power-user rights
> via configuring Network ID are they not suppose to be able to install
> programs and other misc things(eg. wallpaper)? I thought that this group
> essentially can install programs but not modify any system files (eg. OS
> dependent files). Does this also include not being able to write into
> %systemroot% or modifying registry during program installations?
> TIA,
> Altria
> BTW, Win2k3/2k and XP pro clients
>
- Next message: Bruce Sanderson: "Re: can not take ownership of application data\microsoft\systemcertificates\my in profile folder"
- Previous message: Steven L Umbach: "Re: EFS - Encryption and User Migration"
- In reply to: Altria: "logon/power-users group question"
- Next in thread: Altria: "Re: logon/power-users group question"
- Reply: Altria: "Re: logon/power-users group question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
