I will quote a Guy in the Exchange Forum "There are seldom good technological solutions to behavioral problems."
Joshua Morgan PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 1:15 PM To: NT 2000 Discussions Subject: RE: Administrative rights It is a support issue and they are not going to be in a DMZ. The problem is the developers are some of the worst when it has come to viruses and pirated software in the past. -----Original Message----- From: Rocky Stefano [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:45 AM To: NT 2000 Discussions Subject: RE: Administrative rights I put dev people in their own DMZ. Who cares if they can access the tools to damage something if the network won't allow it through :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Szlucha, Chris Sent: Friday, March 22, 2002 12:51 PM To: NT 2000 Discussions Subject: RE: Administrative rights I don't know if this makes any difference, but in a past workplace, we created a second account for users who absolutely needed admin rights on a machine and suffixed the name with ADM, but the users with these accounts could only use them for the installation process or to perform whatever function they needed then they had to log out and use their regular user account for the rest of the time. This was monitored very closely by our security folks, and anyone who logged into the ADM account first thing and stayed in all day or for a longer than needed time was spoken to by management. Face it, fighting development folks is extremely difficult if not impossible. Sometimes, as hard as it is, compromise is the only way. If someone has other ideas, I'd love to hear them also, as this is a sticky wicket. -Chris -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 12:39 PM To: NT 2000 Discussions Subject: RE: Administrative rights Yes we have AD in place and have been using it. We will be implementing for several GP's as we roll out XP. Our servers are W2K which is what we have been limited to in the past as our clients are all NT 4.0. -----Original Message----- From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:36 AM To: NT 2000 Discussions Subject: RE: Administrative rights Are you / Will you be using AD ? Joshua Morgan PH: (864) 250-1350 Ext 133 Fax: (413) 581-4936 [EMAIL PROTECTED] -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 12:28 PM To: NT 2000 Discussions Subject: RE: Administrative rights That is my opinion also, but when it is the application used by your company to write checks and they don't have a replacement you are pretty much screwed. -----Original Message----- From: Szlucha, Chris [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:26 AM To: NT 2000 Discussions Subject: RE: Administrative rights Well, that's an very poorly written piece of software you're using if it REQUIRES admin rights to run, and it's just a regular user app. IMHO, I'd find something else that's written properly. -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 12:23 PM To: NT 2000 Discussions Subject: RE: Administrative rights The problem is we do not want them installing their own stuff, but the app is insisting on admin rights just to run, or you have to open things up so much as to make taking away the rights ineffective. -----Original Message----- From: Woods, Tony G AG:EX [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 11:02 AM To: NT 2000 Discussions Subject: RE: Administrative rights I'm quite surprised some of you guys even allow users to install stuff on their own. Our support staff install all software if a user needs it to do their job. Running XP, we've had to be quite inventive to get some software running properly without bumping up their rights on the local box. For the most part, the Compatibility Wizard has been a gem. If that doesn't work, opening rights within the program files or the directory it installed to or the registry have saved us. Granted there are the guy/gals that need local Admin rights because they're an Oracle DBA or whatever but for the most part, a user is just that, a user. My $.02 CDN ;-( Cheers, Tony -----Original Message----- From: Ron Jameson [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 8:42 AM To: NT 2000 Discussions Subject: RE: Administrative rights We here (in-house and with clients) are battling the same problem. We encounter many of programs that want an admin to install (ok, the RUNAS works) but an admin to use the damn thing!!! These programmers are nuts if they think we are going to give admin rights to everyone. I end up using regmon to find out what the program is using in the registry and give full rights to that part of it (at least for server based programs). Local based issues I am still trying to find a way to cure it as you are. Power users group does not always work. Grrr. Ron Jameson James Hamlin Consulting. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wes Owen Sent: Friday, March 22, 2002 10:20 AM To: NT 2000 Discussions Subject: RE: Administrative rights Ok here is a specific. 3/22/02 Create-A-Check requires full permissions to the following registry keys be granted to the user in order for it to work: H_KEY_LOCAL_MACHINE -SOFTWARE -Borland -CAC -Create-A-Check, Inc. Microsoft Windows and/or Windows NT (NT/2000) (make sure rights are granted for all noted subdirectories) Current Version - Setup Install Extra User also needs full control to the c:\Program Files\Common Files\Borland Shared\ and the subdirectories. User also needs to be granted full control to the network directory where Create-A-Check is installed, and all of the subdirectories. So if we open up the Setup key to everyone that pretty much kills much of the reason for removing the admin rights. I am curious how many more apps we are going to run into the behave like this. We have only tested around 75 of 600 applications to be tested. -----Original Message----- From: Ed Esgro [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 10:15 AM To: NT 2000 Discussions Subject: RE: Administrative rights When you say the applications need admin rights to run. I think you may want to be more specific about that. Admin rights include a lot of user rights. For example; Act as part of operating system. Add workstations to domain. Force shutdown from remote system. So Admin rights are just way too powerful. You should try to find out what the application needs to function properly. Admin rights, is like saying you need an airplane to get from Florida to NY, but you could really accomplish that by taking a bus or driving a car or walking. As far as installing applications, I would not empower anyone with this right. Just causes tons of problems down the road. Before you know it, you have Bonzi Buddy on all of your damn workstations. -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 10:46 AM To: NT 2000 Discussions Subject: Administrative rights How many out there do not allow administrative rights on the client systems? We are attempting to put all users into the Power Users group and I am sure you can imagine the stir it is creating. There are applications that require admin rights not only to install, but also to run. One of the manufacturers fix was to grant full rights to the Setup key, kinda defeats the purpose don't you think? If you do not put users in the administrative groups do you make exceptions for support and development staff? Do you use administrative accounts and only give support persons rights on admin accounts or do you give their user account all the rights? This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are NOT the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to %%email.unsub%% ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
