Thanks Alan! Great Help... :-) On Thu, Oct 23, 2008 at 11:09 AM, Alan & Margaret <syspro@xxxxxxxxxxxxxxxx>wrote: > Hi Anath, > > > > I would just leave them all with READ authority; unless of course you want > Enterprise Admins to also run the script, in which case you give them APPLY > authority as well. > > > > Alan Cuthbertson > > Policy Management Software (Now with ADMX and Preference support):- > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > > ADM Template Editor(Now with ADMX support):- > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > > Policy Log Reporter(Free) > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > > ------------------------------ > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* Thursday, 23 October 2008 4:22 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Re: Disable script for administrator account > > > > > Dear Alan, > > One more clarification... > > There are Enterprise Admins, Enterprise Domain Controllers and System > accounts by default in delegation, so can I remove these groups and just > keep Authenticated Users and Domain Admins group alone and give the > permissions as per your suggestion? > > Thanks once again.... > > regards > Ananth. > > > > > > On Thu, Oct 23, 2008 at 10:46 AM, Ananth Rajagopal <ananth.rg@xxxxxxxxx> > wrote: > > Thank You Alan..... > > It seems the obvious method.... We will get back with our feedback soon.. > > Thanks againg for the prompt response!! :-) Our day is just starting...... > > regards > Ananth. > > > > > > On Thu, Oct 23, 2008 at 10:32 AM, Alan & Margaret <syspro@xxxxxxxxxxxxxxxx> > wrote: > > Hi Anath, > > > > If I understand you correctly, the critical thing is the APPLY permission. > > > > If you give READ and APPLY permission to Authenticated users and DENY APPLY > to Domain Admins, everyone except Domain Admins will get it. > > > > If you give READ and APPLY permission to Domain Admin, only Domain Admins > will get it. > > > > Alan Cuthbertson > > > > > > Policy Management Software (Now with ADMX and Preference support):- > > http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml > > > > ADM Template Editor(Now with ADMX support):- > > http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml > > > > Policy Log Reporter(Free) > > http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml > > > > > > > > > ------------------------------ > > *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On > Behalf Of *Ananth Rajagopal > *Sent:* Thursday, 23 October 2008 3:46 PM > *To:* gptalk@xxxxxxxxxxxxx > *Subject:* [gptalk] Disable script for administrator account > > > > Hi all, > > We have a script to change the usbstor registry key value to 4 and another > script to deny permissions to users from running usbstor.inf and usbstor.pnf > files. > > In scope we have set "authenticated users" > > If we set deny permissions to the authenticated group and full control for > Domain Administrator group. Will the script be applicable for administrator > login as well? How can I stop the script from running for an Administrator > account. > > Kindly advice. > > regards > Ananth. > > > > >