Applying the Principle of Least Privilege to User Accounts on Windows XP:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx
...and don't forget to read that....
Get ready for Vista's UAP.
Rimmerman, Russ wrote:
Ahh yes, we do have all users in one global group, and that global
group is auto-added to every local administrators group on each PC
through GPO. I guess that explains that.
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi
*Sent:* Tuesday, February 14, 2006 9:48 AM
*To:* [email protected]
*Subject:* RE: [ActiveDir] Local admin priviledges
Being a local admin on a PC does not give them the ability to see
another machine's C$ share. This would occur if you added a group
(local admins) to the administrators group on all PCs and then added
users to that group instead of doing it on a user by user basis. That
said, I would look for any and all ways of NOT giving users local
admin rights on their computers, although I know in some instances,
usually due to poor coding, it can't be avoided.
Tim
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Rimmerman, Russ
*Sent:* Tuesday, February 14, 2006 9:40 AM
*To:* [email protected]
*Subject:* [ActiveDir] Local admin priviledges
Well someone just realized that since all our users are local admins
on their PCs that they can map to another users C$ share and see all
their data. They asked mgmt if they knew about that, and now of
course, they're concerned about it. It's been this way for years, but
I digress.
SO, what is the general conscensus on giving users full ability to
install/remove software at will, but not allowing them to map to other
PCs c$ drives? Make everyone Power Users instead? Is there anything
that they might lose from going from local admins to power users on
their PCs besides this c$ mapping functionality?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.
This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
