Re: Group Policy restrictions for Local Admins
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/26/05
- Next message: Robin: "Re: XP client & Server authentication"
- Previous message: Steven L Umbach: "Re: logon interactively"
- In reply to: kenw_at_kmsi.net: "Group Policy restrictions for Local Admins"
- Next in thread: Roger Abell [MVP]: "Re: Group Policy restrictions for Local Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 May 2005 16:31:37 -0500
For Windows 2003 and XP Pro you can use Software Restriction Policies [even
in a Windows 2000 domain] to manage even what a local administrator can run
via the enforcement rule or install on their computer. SRP can be bypassed
if a local administrator boots into safe mode IF they know that. For Windows
2000 computers you could try populating the disallowed Windows application
list with setup.exe, install.exe, msiexec.exe, etc under user
configuration/administrative templates/system. NTFS permissions can also be
modified to prevent users from writing to certain folders such as program
files. A user that is an administrator would need deny write permissions to
try to accomplish such. That is something that should be thoroughly tested
before trying to make sure that their needed applications work. It may also
help to configure Internet Explorer via Group Policy to not allow downloads
at least from the internet Web Content Zone. The links below may help. All
of the above could be bypassed by a knowledgeable user that is a local
administrator but you do not have anything to lose to try if you think it
would help you. The best solution is to look at ways to not have to make
users local administrators. Sometimes with some permissions and registry
tweaks, problem programs will work for a regular user. The links below may
help. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
<kenw@kmsi.net> wrote in message
news:39nb91ld4e9rnm1i5lfbff43ipetfqd3mq@4ax.com...
> Maybe this is a lost cause, but it's worth asking.
>
> It should be possible to use Group Policy to restrict that ability to add
> and remove software -- or, alternatively, restrict what software will run
> -- for people who have local admin rights. I'm looking for ideas on how
> best to do that.
>
> Granted, people with local admin rights could, in theory, do anything they
> want with "their" PCs. In practice, however, 99% of users would have no
> idea how.
>
> /kenw
> Ken Wallewein
> K&M Systems Integration
> Phone (403)274-7848
> Fax (403)275-4535
> kenw@kmsi.net
> www.kmsi.net
- Next message: Robin: "Re: XP client & Server authentication"
- Previous message: Steven L Umbach: "Re: logon interactively"
- In reply to: kenw_at_kmsi.net: "Group Policy restrictions for Local Admins"
- Next in thread: Roger Abell [MVP]: "Re: Group Policy restrictions for Local Admins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
