1) We do use restricted groups and we do it with local accounts. The UID is the same "local_admin" but the password is unique for each machine. Yes, I realize they can add themselves, but as I said not having it by default is a huge advantage.
2) I agree with your assessment of need. It is a political issue, not a function of special software/hardware needs in an academic environment. It might make more sense if I used the phrase academic freedom. It just simply isn't the same as a corporate environment where policy can be mandated more easily. 3) We have a number of enterprise products that have not certified IE7 yet. If we roll it out, we move into "unsupported" territory. 3a) We also need to complete our compatibility and deployment testing. Bryan Lucas Server Administrator Texas Christian University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 23, 2006 7:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 If they have local admin rights, it's a trivial task to add their non-admin (are you referring to non-domain-admin?) domain account to the local administrator's group and be done with silly restrictions. Unless you're controlling local admin group membership via GPO - but since you're using unique local administrative accounts I'm thinking you're not controlling membership via GPO. You stated that they have local admin rights because taking them away is not an easy thing to do - since you are an academic environment. Well, I think that's a political thing, not something related to the environment you're in. Everyone "needs" admin access, just ask them. It's not just an academic thing. Of course, you didn't ask us (or me) an opinion on admin rights. I just wanted to point out that if you have problems related to that, you might want to revisit the issue and know that [IMHO] the "need" for admin rights is not a special academic environment need. Anyway I probably missed a post somewhere, but why the Herculean efforts to block IE7? I'm just curious. ----------------------------------------------------------------------- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 ---------------------------------------------------------------------- "I love the smell of red herrings in the morning" - anonymous -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Sunday, October 22, 2006 1:32 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Yes but my point was that the moment you decide "We're gonna give {someone} admin rights" you've totally conceeded control of the machine and you're reliant on their co-operation. If someone wants IE7 on their machine in your environment, they *will* have it. As you can see from the sig in my last message, I'm quite familiar with academic environments. -----Original Message----- From: [EMAIL PROTECTED] on behalf of Lucas, Bryan Sent: Fri 20/10/2006 15:51 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Being an academic environment, taking administrative rights away from users is not an easy thing to accomplish. The compromise was to have their domain account (which they are logged in as 99% of the time) a non-admin, but then give them the admin rights in the form of a separate local account unique to their workstation. This makes them safer while browsing and requires them to go through a very conscious extra set of steps to install new hw/sw. It has worked very well, cut down on spyware/junkware as well as served as a training ground both for us and the users for the upcoming Vista model. Bryan Lucas Server Administrator Texas Christian University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Friday, October 20, 2006 6:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 And now I'm really confused. Why make your users admins and then lock down the ways they can admin the system? -- Robert Moir Senior IT Systems Engineer Luton Sixth Form College > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: 20 October 2006 01:11 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > Yes/No - Because we are an academic environment, the best we could do > was to make our users domain account a "user" but give them their own > local admin account. We use restricted groups to enforce. > > Bryan Lucas > Server Administrator > Texas Christian University > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Kevin Brunson > Sent: Thursday, October 19, 2006 4:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > Are your users local admins? Only admins can approve IE7 for install. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: Thursday, October 19, 2006 2:49 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > I must be missing something, I read: > > * "The Blocker Toolkit will not prevent users from manually installing > Internet Explorer 7 as a Recommended update from the Windows Update or > Microsoft Update sites, from the Microsoft Download Center, or from > external media. > > So it seems to me a hash rule combined with a filename rule should work > unless they change both on me. > > Bryan Lucas > Server Administrator > Texas Christian University > ________________________________________ > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Laura A. Robinson > Sent: Thursday, October 19, 2006 12:40 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > You might want to re-read the page that you linked to below, since it > answers all of your questions. > > 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, > you would simply not approve the update. > 2. That toolkit *is* designed to block both the executable and > automatic update installations. > > Laura > > ________________________________________ > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: Thursday, October 19, 2006 12:55 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Blocking IE7 > I see how to block IE7 from deploying through WSUS, but what I don't > see is a way to block a user from manually installing it. > > (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7- > 5D44-482B-9DBD-869B4A90159C&displaylang=en) > > Our users are 90% XP SP2 and managed through GP. What about building a > restricted software GPO that has a hash of iesetup7.exe (if that even > exists)? > > I want to restrict them from getting it through microsoftupdate.com as > well. > > Bryan Lucas > Server Administrator > Texas Christian University > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/