RE: [ActiveDir] Local admin priviledges

[King, William]

You could add the built-in security principal “NT AUTHORITY\INTERACTIVE” as local administrator instead of the global group. This may help stop users gaining access to each others C$ shares but they could still log onto another users workstation and be an administrator.   You said management are ”concerned” and maybe that would be a good enough basis to revoke admin rights from users.       William   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 14 February 2006 19:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Local admin priviledges   Through the "Restricted Groups" GPO provided out of the box.  It replaces membership of groups on local desktops and/or servers with selected users/groups so that no one can modify the local adminsitrators group without it changing back to our standard.  See http://www.windowsecurity.com/articles/Using-Restricted-Groups.html   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phillip Partipilo Sent: Tuesday, February 14, 2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Local admin priviledges Curious, how do you do that via GPO?  a custom ADM?       Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, February 14, 2006 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Local admin priviledges Ahh yes, we do have all users in one global group, and that global group is auto-added to every local administrators group on each PC through GPO.  I guess that explains that.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Tuesday, February 14, 2006 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Local admin priviledges Being a local admin on a PC does not give them the ability to see another machine's C$ share. This would occur if you added a group (local admins) to the administrators group on all PCs and then added users to that group instead of doing it on a user by user basis. That said, I would look for any and all ways of NOT giving users local admin rights on their computers, although I know in some instances, usually due to poor coding, it can't be avoided. Tim   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, February 14, 2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Local admin priviledges Well someone just realized that since all our users are local admins on their PCs that they can map to another users C$ share and see all their data.  They asked mgmt if they knew about that, and now of course, they're concerned about it.  It's been this way for years, but I digress.   SO, what is the general conscensus on giving users full ability to install/remove software at will, but not allowing them to map to other PCs c$ drives?  Make everyone Power Users instead?  Is there anything that they might lose from going from local admins to power users on their PCs besides this c$ mapping functionality? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.