Re: Administrator Privlidges for all

From: Robert Kane (rkane_at_systemcareinc.com)
Date: 06/28/03 

Date: 27 Jun 2003 23:02:50 GMT

If you have a Windows server(s) (with a NT 4 or W2K domain controller) you
could put in place a business acceptable use policy of making certain that
all data is stored on the server.

Create individual user accounts, then to grant the user rights to their own
PC, logon to the local machine as the domain administrator, open the user
and groups utility and add the individual domain user account to the LOCAL
power users account. This should grant the user enough power over their own
machine to allow them to perform most tasks. If they really need more power
then, add their domain user account to the PCs LOCAL administrators group.
This will grant them administrative privileges to their own PC, but NOT to
the domain (i.e. server(s))

This works well in most situations, but granted, is a security risk all the
same.

With the acceptable use policy, if they screw up their machine, then they
are responsible for any lost data since it should have been saved to the
server. Simply reformat, reimage, their PC without the need to worry about
apps or data. OK OK what if they did have data on the PC? Well, some users
will still store stuff locally. 1. EDUCATE your users to store their data
in the proper location. OR 2. Buy yourself a really expensive backup
solution to backup both your server and all the PCs, just in case.
Obviously this is a costly approach and for most not feasible. There are
always pros and cons to every solution. One must chose the one that makes
the best logical AND economical sense.

"Mike Mulligan" <mmulligan@invalid.net> wrote in message
news:%23JB3Wl1ODHA.2228@tk2msftngp13.phx.gbl...
> How about someone who doesn't understand what they're doing and makes a
> change that takes down their system? Right in the midst of a critical
task?
>
> Mike Mulligan
>
> "Devin" <dsmith@hospicenwo.org> wrote in message
> news:026901c33b51$685c3910$a501280a@phx.gbl...
> > Thanks to all that gave some feedback, we found a way to
> > do it by creating a group and dumping the users we wanted
> > to have admin in the group and then gave that group full
> > admin privlidges. Maybe i should have clarified
> > that 'all' of the users that we needed to have admin only
> > consist of the 7 of us that are in the actual office, no
> > one else that works for us has a login of any type. We
> > aren't particularly worried about someone doing something
> > stupid to any of our servers because all 7 of us have a
> > large stake (aka MONEY) in this little endeavor. Once
> > again, thanks for the help.
> >
> >
> > >-----Original Message-----
> > >If you don't have a server then convince your boss to
> > buy
> > >on Linux/ unix will work but i'd get something like
> > >Windows 2000 pro Server. This makes it really easy just
> > >make sure that you have a network setup connecting all
> > the
> > >computers. then have the computer join the server. you
> > >store all the users on the server not on the computer
> > but
> > >what you do is have the users that you think should be
> > >admins join the administrators group. then later you
> > >delete them from that group and put them into a
> > restricted
> > >users group. you can also use this to share saved files
> > >from the server to certin users. but remember once you
> > >share a folder and restrict access to that folder there
> > is
> > >away to get around that by taking ownership and changing
> > >the settings. ALSO REMEMBER DON'T SHARE A WHOLE DRIVE
> > >(well try not to) JUST A FOLDER AND REALLY NOT THE ROOT
> > >DRIVE.
> > >
> > >
> > >Have Fun,
> > >
> > >CDUB
> > >>-----Original Message-----
> > >>Devin;
> > >>When you create the account, select Administrator.
> > >>You can also easily check/Change account type:
> > >>Log-in using an Administrator.
> > >>Go tom User Accounts in Control Panel.
> > >>It will show Administrator or Limited.
> > >>Click on a user to change it.
> > >>
> > >>Are you really sure you want to do this.
> > >>Do you absolutely trust ALL users with ALL data on the
> > >computer?
> > >>Any Administrator can do and undo anything any
> > >Administrator can do.
> > >>If you have problems with one employee, the fix will
> > >likely be to
> > >>reload from scratch.
> > >>
> > >>I would suggest the opposite of your plan.
> > >>Set them as Limited Users, see how it works, evaluate
> > for
> > >>Administrator access as needed.
> > >>
> > >>--
> > >>Jupiter Jones [MVP]
> > >>An easier way to read newsgroup messages:
> > >>http://www.microsoft.com/windowsxp/pro/using/newsgroups/
> > se
> > >tup.asp
> > >>Please respond to newsgroup only for everyone's benefit.
> > >>
> > >>
> > >>"Devin" <dsmith@hospicenwo.org> wrote in message
> > >>news:013101c33b2e$7321df80$a101280a@phx.gbl...
> > >>> Hello, we are currently in the process of switching
> > all
> > >>> of our machines over to XP and one thing we want to be
> > >>> able to do is have it set so that any user that logs
> > on
> > >>> is an administrator and has access. My boss wants
> > them
> > >>> to have full access at least to start and if we find
> > >>> problems with specific accounts or what-not we will
> > then
> > >>> restrict access for that user. Is there a quick/easy
> > >way
> > >>> to set it up so that every user who logs on has the
> > >admin
> > >>> privledges? Thanks for any help/ideas.
> > >>
> > >>
> > >>.
> > >>
> > >.
> > >
>
>