This is what we end up doing, we had many applications that require local Admin permission, we tried power users. However, this did not work, applications like adobe illustrator will have many problems, Another problem we encounter was that many of the editors will always ask for some adding that was not part of the default install, and we had to install it for them. After discussing this will all the directors we decided to do the following:
in the Server site : Create a useradmin group (domain group) that we added to each workstations Administrators local group, and all users are member of the useradmin domain group. Control the windows environment using GPO restrictions like no allowing then access to MMC or to open their Network Properties. We also perform daily scans of their workstations for any applications, if anything is flag during the daily scan they are disconnected from the LAN. Our firewall has restriction, no allowing downloads from the internet. I know they could bring their own software or viruses, we treat every workstation as a possible attacker to our server subnet. we also keep a database of what each workstation and what applications they should have if they show anything different they are disconnected from the LAN. hope this helps -----Original Message----- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 12:36 PM To: NT 2000 Discussions Subject: RE: Administrative rights Are you / Will you be using AD ? Joshua Morgan PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 12:28 PM To: NT 2000 Discussions Subject: RE: Administrative rights That is my opinion also, but when it is the application used by your company to write checks and they don't have a replacement you are pretty much screwed. -----Original Message----- From: Szlucha, Chris [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:26 AM To: NT 2000 Discussions Subject: RE: Administrative rights Well, that's an very poorly written piece of software you're using if it REQUIRES admin rights to run, and it's just a regular user app. IMHO, I'd find something else that's written properly. -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 12:23 PM To: NT 2000 Discussions Subject: RE: Administrative rights The problem is we do not want them installing their own stuff, but the app is insisting on admin rights just to run, or you have to open things up so much as to make taking away the rights ineffective. -----Original Message----- From: Woods, Tony G AG:EX [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:02 AM To: NT 2000 Discussions Subject: RE: Administrative rights I'm quite surprised some of you guys even allow users to install stuff on their own. Our support staff install all software if a user needs it to do their job. Running XP, we've had to be quite inventive to get some software running properly without bumping up their rights on the local box. For the most part, the Compatibility Wizard has been a gem. If that doesn't work, opening rights within the program files or the directory it installed to or the registry have saved us. Granted there are the guy/gals that need local Admin rights because they're an Oracle DBA or whatever but for the most part, a user is just that, a user. My $.02 CDN ;-( Cheers, Tony -----Original Message----- From: Ron Jameson [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 8:42 AM To: NT 2000 Discussions Subject: RE: Administrative rights We here (in-house and with clients) are battling the same problem. We encounter many of programs that want an admin to install (ok, the RUNAS works) but an admin to use the damn thing!!! These programmers are nuts if they think we are going to give admin rights to everyone. I end up using regmon to find out what the program is using in the registry and give full rights to that part of it (at least for server based programs). Local based issues I am still trying to find a way to cure it as you are. Power users group does not always work. Grrr. Ron Jameson James Hamlin Consulting. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wes Owen Sent: Friday, March 22, 2002 10:20 AM To: NT 2000 Discussions Subject: RE: Administrative rights Ok here is a specific. 3/22/02 Create-A-Check requires full permissions to the following registry keys be granted to the user in order for it to work: H_KEY_LOCAL_MACHINE -SOFTWARE -Borland -CAC -Create-A-Check, Inc. Microsoft Windows and/or Windows NT (NT/2000) (make sure rights are granted for all noted subdirectories) Current Version - Setup Install Extra User also needs full control to the c:\Program Files\Common Files\Borland Shared\ and the subdirectories. User also needs to be granted full control to the network directory where Create-A-Check is installed, and all of the subdirectories. So if we open up the Setup key to everyone that pretty much kills much of the reason for removing the admin rights. I am curious how many more apps we are going to run into the behave like this. We have only tested around 75 of 600 applications to be tested. -----Original Message----- From: Ed Esgro [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 10:15 AM To: NT 2000 Discussions Subject: RE: Administrative rights When you say the applications need admin rights to run. I think you may want to be more specific about that. Admin rights include a lot of user rights. For example; Act as part of operating system. Add workstations to domain. Force shutdown from remote system. So Admin rights are just way too powerful. You should try to find out what the application needs to function properly. Admin rights, is like saying you need an airplane to get from Florida to NY, but you could really accomplish that by taking a bus or driving a car or walking. As far as installing applications, I would not empower anyone with this right. Just causes tons of problems down the road. Before you know it, you have Bonzi Buddy on all of your damn workstations. -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 10:46 AM To: NT 2000 Discussions Subject: Administrative rights How many out there do not allow administrative rights on the client systems? We are attempting to put all users into the Power Users group and I am sure you can imagine the stir it is creating. There are applications that require admin rights not only to install, but also to run. One of the manufacturers fix was to grant full rights to the Setup key, kinda defeats the purpose don't you think? If you do not put users in the administrative groups do you make exceptions for support and development staff? Do you use administrative accounts and only give support persons rights on admin accounts or do you give their user account all the rights? This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are NOT the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
