Re: logon/power-users group question

From: Altria (urbantec92_at_msn.com)
Date: 03/14/05

• Next message: Dave: "Re: Where should I find the .cer file?"
• Previous message: Andrew Mitchell: "Re: Can't delete shortcut"
• In reply to: Steven L Umbach: "Re: logon/power-users group question"
• Next in thread: Steven L Umbach: "Re: logon/power-users group question"
• Reply: Steven L Umbach: "Re: logon/power-users group question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 14 Mar 2005 11:02:10 -0500

Hello Steven,
Thanks for the reply. I have found that although I have assigned my domain
users to the power users group (via My computer>Properties>Computer
Name>Network ID), they are unable to install numerous "low-level" programs
(eg Quicktime). Do these users also have to be assigned power user rights
locally as well as within the domain? For example, none of my users are
local users on the assigned workstations. Would you happen to know of a MS
guide to a description and definitions of all Built-in Accounts for Server
2000/2003 and Windows XP?
TIA,
Altria

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:ubbGUmSJFHA.3960@TK2MSFTNGP09.phx.gbl...
> Power users by default can do a lot to a computer and have write
> permissions to program file and system files folders though you can modify
> that. Power users can also create shares if file and print sharing is
> enabled. Power users can also create local accounts which means that they
> could possibly create a local user account, put it in the power users
> group, and then logon to the computer with that account to bypass domain
> Group Policy for users. You could try to configure the user right on those
> domain computers to include only domain users and administrators which
> could prevent that.
>
> You can limit logon to domain computers in a couple of ways. In a users
> account in AD Users and Computers you can specify which domain computers a
> user can logon to. Also you can use the user rights logon locally and deny
> logon locally to control who can logon to a domain computer. This can be
> done at the local computer level or at the domain or Organizational Unit
> level with Group Policy. Be careful with deny user rights as they override
> allow user rights and remember that administrators are also members of the
> users and everyone groups. The security guide from Microsoft call Threats
> and Countermeasures has much more detailed info and can be found at the
> link below. --- Steve
>
> http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx
>
> "Altria" <urbantec92@msn.com> wrote in message
> news:%23ktajwNJFHA.2852@TK2MSFTNGP09.phx.gbl...
>> Hello All,
>> By default, are users of a domain allowed to logon to any workstation
>> within the domain?
>> If so, how can I limit specific users to only be able to logon to
>> specific workstations?
>> Also, if users are able to login to any machine with a valid user account
>> how does this effect the security on the machine. For example, if group
>> policies are applied to specific users and machines based on OU then what
>> happens to a user who is not in that OU but in the domain and is able to
>> logon to the workstation?
>> Finally, a little off-topic, if I set my users to have power-user rights
>> via configuring Network ID are they not suppose to be able to install
>> programs and other misc things(eg. wallpaper)? I thought that this group
>> essentially can install programs but not modify any system files (eg. OS
>> dependent files). Does this also include not being able to write into
>> %systemroot% or modifying registry during program installations?
>> TIA,
>> Altria
>> BTW, Win2k3/2k and XP pro clients
>>
>
>

---

• Next message: Dave: "Re: Where should I find the .cer file?"
• Previous message: Andrew Mitchell: "Re: Can't delete shortcut"
• In reply to: Steven L Umbach: "Re: logon/power-users group question"
• Next in thread: Steven L Umbach: "Re: logon/power-users group question"
• Reply: Steven L Umbach: "Re: logon/power-users group question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: logon/power-users group question ... Power users by default can do a lot to a computer and have write permissions ... to the computer with that account to bypass domain Group Policy for users. ... You can limit logon to domain computers in a couple of ways. ... > essentially can install programs but not modify any system files (eg. OS ... (microsoft.public.windows.server.security) Re: auditing ... You would have to enable auditing of logon events for domain machines. ... to only enable auditing of failures on domain computers that are not resource ... logon attempts using your account. ... (microsoft.public.win2000.security) Re: logon/power-users group question ... There is no power users at the domain level - it exists only on the computer ... > local users on the assigned workstations. ... >> means that they could possibly create a local user account, ... >> You can limit logon to domain computers in a couple of ways. ... (microsoft.public.windows.server.security) Re: Authenicated Users Query ... If the account that the user is logged onto on the non domain computer has ... If you have auditing of logon events enabled ... use ipsec AH/ESP for communications with domain computers but otherwise it ... (microsoft.public.windows.server.security) Re: GPO and Remote Users ... Steve ... >> By default logon on with cached credentials is enabled. ... Keep in mind that both power users ... >> user accounts, user configuration Group Policy from the domain will not ... (microsoft.public.win2000.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)