[gptalk] Re: Disable script for administrator account

  • From: "Alan & Margaret" <syspro@xxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 23 Oct 2008 16:39:49 +1100

Hi Anath,

 

I would just leave them all with READ authority; unless of course you want
Enterprise Admins to also run the script, in which case you give them APPLY
authority as well.

 

 Alan Cuthbertson

  Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: Thursday, 23 October 2008 4:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Disable script for administrator account

 


Dear Alan,

One more clarification...

There are Enterprise Admins, Enterprise Domain Controllers and  System
accounts by default in delegation, so can I remove these groups and just
keep Authenticated Users and Domain Admins group alone and give the
permissions as per your suggestion?

Thanks once again....

regards
Ananth.







On Thu, Oct 23, 2008 at 10:46 AM, Ananth Rajagopal <ananth.rg@xxxxxxxxx>
wrote:

Thank You Alan.....

It seems the obvious method.... We will get back with our feedback soon..

Thanks againg for the prompt response!! :-) Our day is just starting......

regards
Ananth.



 

On Thu, Oct 23, 2008 at 10:32 AM, Alan & Margaret <syspro@xxxxxxxxxxxxxxxx>
wrote:

Hi Anath,

 

If I understand you correctly, the critical thing is the APPLY permission.

 

If you give READ and APPLY permission to Authenticated users and DENY APPLY
to Domain Admins, everyone except Domain Admins will get it.

 

If you give READ and APPLY permission to Domain Admin, only Domain Admins
will get it.

 

Alan Cuthbertson

 

 

 Policy Management Software (Now with ADMX and Preference support):-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml

 

ADM Template Editor(Now with ADMX support):-

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml

 

Policy Log Reporter(Free)

http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml

 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ananth Rajagopal
Sent: Thursday, 23 October 2008 3:46 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Disable script for administrator account

 

Hi all,

We have a script to change the  usbstor registry key value to 4 and another
script to deny permissions to users from running usbstor.inf and usbstor.pnf
files.

In scope we have set "authenticated users"

If we set deny permissions to the authenticated group and full control for
Domain Administrator group. Will the script be applicable for administrator
login as well? How can I stop the script from running for an Administrator
account.

Kindly advice.

regards
Ananth.

 

 

Other related posts: