[gptalk] Re: Local User Account
- From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Mon, 24 Nov 2008 09:00:25 -0800
In general, there is not much difference on XP between Power Users and
Administrators. Administrators have a few extra rights but otherwise, they
are almost the same from the perspective of needing to lock down a system.
If you are going through an effort to get to least privileged use, I would
recommend going to Users, rather than Power Users. If you need to loosen up
certain rights from there, I think its better to go that way than to let the
user be more privileged than they need to be.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 8:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
Do you suggest giving people Standard User rights (Power User) or Restricted
User rights (User Group)? Here is what we are really looking for and our
setup. We don't want users to be able to install software and don't want
them to have access to the root of the C: drive and most other folders on
the C: drive. They will have access to their folder under Documents and
Settings and the temp folders and a couple other to allow programs to run.
So they won't have full access to the C: drive on their computer, only read
access. I have locked it down using the File System and Registry settings
in Group Policy. Ideally we would want them to be able to install local
printers, which I know is only doable as an admin or power user. But we
would be willing to live without installing printers if the Restricted users
group is the best way to lock it down. We have set it to not allow software
install and to not let windows installer to work. Any advice would be
appreciated and let me know if you need more detail. I tried to be as
detailed as I could.
Thanks,
Ryan
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 10:47 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
It's a good point Andrew. Despite the pure evil nature of letting your users
be admin., there are a still a lot of crappy apps (including some from MS)
that still require it, or at least a relaxing of permissions.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew McHale
Sent: Monday, November 24, 2008 7:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
Ryan,
A word of warning if I may.
A lot of 3rd party applications require certain levels of access to the
computer. For example, our accouting package requires write access to its
own installation folder inorder to save temp files.
Unfortunately we are like you were with the small company attitude (we total
25 people) and so everyone has local admin access to their own machine
(think happy thoughts Darren!). When I tried to take this away from a test
user the application stopped working until I gave that user specific write
permissions to this particular folder.
So, in short, test what will happen if you take this level of access away
from your users before you do it company wide. 250 computers all with
faulting applications would be a serisouly bad day at the office for you!
Andrew
From: Ryan Bannon [mailto:ryanbannon@xxxxxxxxxxxxxxxxxxx]
Sent: 24 November 2008 15:36
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
Darren,
Very cool. Thanks for your help. I have been working on a new Group Policy
for our company for a few months now and I wish I would have found this
sooner. I appreciate it.
Thanks,
Ryan
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 10:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
Ryan-
Check out the whitepaper on my site about GPP
(http://www.gpoguy.com/Group-Policy-Whitepapers.aspx). Its basically a
free-add on that MS provides to give you additional capabilities within GP.
However, in your scenario, if you are trying to remove a unique user account
from the local Administrator's group on each machine, GPP won't help you.
But, since your users are already administrators, you could create a simple
GP-based logon script that lets them remove themselves from local
administrators. Some thing like this would work:
Net localgroup administrators %username% /delete
Should work. Once the user re-logs in, then they will no longer be in Local
Administrators.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 7:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
Darren,
For the most part everyone is a local admin. We have had a small company
mentality for quite a while, but now we have grown pretty rapidly over the
last few years, and now are getting a larger profile in the industry, so we
wanted to lock down our pc's and not let users do that much. So one of the
steps is not giving them local admin rights to their pc's. So what is the
Group Policy Preferences'? Is that an add on program or snap-in? And can
it be added after having a Group Policy already in place?
Thanks,
Ryan
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 9:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account
Ryan-
Yes, this is a perfect job for Group Policy Preferences' Local Users and
Groups feature if you have rolled out GPP. If you haven't then you would
probably have to use a computer startup script to do it. Is the local user
account different on every machine?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 6:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Local User Account
I am looking for a way to change the local user account type for our
computers. Right now we have them as local administrators, but we want to
change that to just a local user. We have around 250 computer, so I don't
want to have to do it manually. Is there a way to do this with Group
Policy?
Thanks,
Ryan Bannon
IT Support Technician
Pioneer Surgical Technology
Other related posts:
