On Thursday, December 13, 2001 6:43 PM, Gordon Rowell wrote: > - One option is to set "domain admin group = @shared" to include > all users > on the SME Server > - Question: Wouldn't that mean that any valid user could log in and > change any setting on the local workstation as an Administrator > equivalent?
Yes, which is why I will never implement this particular "fix", even though our office runs some of the aforementioned applications. > - Another option is to add the users to the local "Power User" group on > the relevant workstation. > - Question: Can you do this without creating a local user as well? Yes, if local user means a user that is authenticated on the client machine and not through the Windows Domain procedure. The client machine authenticating against a PDC keeps information on the privileges of the users that log on based on the fact that they are members of the domain admin group (which is imported into the local admin group) or members of the domain user group (which is imported into the local user group). To make a domain user a power user, a local admin must add the username from the domain account list to the local power user group. If all the users need to be power users, the domain user group can be added to the local power user group to save time of entering each individual user. AFAIK, this would be the same procedure with a Windows NT/2000 Server acting as a PDC. > Proposal: > > - HOWTO which shows a templates-custom entry to let these apps run and > lists apps which may be affected (as suggested by Darrell) This sounds good, but it should also address important security concerns with making this change. > - Modify the relevant template to read this parameter from the > configuration database in a future update, defaulting to the most > secure option Also, a safe way to handle the option. David M. Brown Frick, Frick & Jetté Architects [EMAIL PROTECTED] -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
