Re: Remove permissions to install software from Power Users group

That's still not good enough. There are some exploits (I'll leave the research up to you, heh) that allow power users to elevate to administrators. That's why we've removed power users from Windows Vista.

Instead, demote your users to standard user. Then, for troublesome applications, profile them using Aaron Margosis's LUA BugLight tool. This will allow you to relax permissions on particular registry keys and files so that these apps will run under standard user accounts.

http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx


--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"KieronH" <KieronH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:D09DCD1F-8D92-4D42-AF26-009343861FC2@xxxxxxxxxxxxxxxx
Hi Shenan,
Thanks for the speedy reply.
I too am a firm believer in the "least priveledges required" rule -
unfortunately we run so many different applications, it would take me many
months to identify the user requirements for each application. The Power
Users group membership ,without the ability to install software, would be a
lot more secure than the position we are in currently - i.e. all users are
local Administrators.
Thanks,
Kieron
--
KieronH


"Shenan Stanley" wrote:

KieronH wrote:
> I'm trying to lockdown Windows XP Pro workstations in our Domain.
> I've tried removing users from the PC's local "Administrartors"
> group, but this generated lots of problems running applications,
> most of which were associated with insufficient permissions to
> local files and folders.
> I would like to add all domain users to the local "Power Users"
> group (which should be easy to achieve) but remove their ability to
> install software.
> Is there an easy way anyone knows of of removing this "right" from
> the Power Users group?

When dealing with security - give least privs first and GRANT what is
necessary beyond that. Do not try to work in the opposite direction. You
will end up giving to many rights and possibly - not even know you did it
until things go wrong.

If they have software that is not working when they are simply 'users' on
the workstation, you should try and discover why (likely file/folder
permissions to the program folders and/or to the All Users profile
directory - MAYBE permissions to a given registry key...) and fix that
instead of continuing to grant the users more rights than they should have.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html



.

Relevant Pages

  • Re: Event ID: 1202
    ... Cannot find Power Users. ... SeEnableDelegationPrivilege = Administrators ... SeSystemEnvironmentPrivilege = Administrators ... SeRestorePrivilege = Backup ...
    (microsoft.public.win2000.active_directory)
  • Re: User Profile Question
    ... This is likely because of filesystem permissions on their machines, ... Some of these users are Administrators of their own computer. ... After changed the local user rights from Administrator to Power Users the ... No group policy or domain policy are active.... ...
    (microsoft.public.windows.server.security)
  • Re: Adding a location from a domain
    ... or power users, but I can only add users from the local station. ... Double clicking on the group administrators. ... The batch file would have this: ... net localgroup power users DOMAIN\localpoweruser /add ...
    (microsoft.public.windowsxp.network_web)
  • Re: Prevent Power users from modifying Local SAM
    ... You can't recreate those groups exactly [not even close to administrators] ... foolproof way to not allow power users to be able to create user accounts as ... it is hard coded into the operating system and not a user right/privilege. ... permissions as power users and then in Local Security Policy give users the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Disabling sharing tab in client systems
    ... removing them from the power users or administrators group and making sure ... that they are only regular users. ... member of a domain group that is a member of the local administrators or ... power users group on his computer. ...
    (microsoft.public.windows.server.security)