>From reading your previous replies, you don't have a lot of choices. There may be a way to run those Create-A-Check program without giving the users Local Administrator or Power User rights, but you don't know how (for now). Moreover, it seems that there is no answers from the Vendor or this forum on how to do it either. Couple this with the need to run the Create-A-Check program, which sounds like an important application in your company; It does not leave you much of a choice but to let the users have the rights (for now).
So, it seems to me the only real choice is to give them Admin rights and button down the network systems. I personally would not worry about user's screwing up the workstations. You can always re-image them when the need arise. You have SMS working, so that means it's that much easier for you to do the re-imaging....so no big deal here. The larger issue is Virus/worm/Trojan attacks. So spend time in the GPOs, etc on getting your systems ready for the next wave of new viruses/worms/Trojans. If you can minimize the exposure then great job. If you cannot minimize the exposure then your job is to figure out a way to contain the potential damage done by users or viruses/worms/trojans to a workstation. If you can do that then you have done your job again. Cheers, Leonard Lee * Install > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Wes Owen > Sent: Friday, March 22, 2002 5:02 PM > To: NT 2000 Discussions > Subject: RE: Administrative rights > > > That is where we are now. Do we remove the admin rights and > the use group > policy to loosen things up a bit. Or do we give them admin > rights and then > tighten things up using GP. > > -----Original Message----- > From: Leonard Lee [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 22, 2002 3:38 PM > To: NT 2000 Discussions > Subject: RE: Administrative rights > > > > > -----Original Message----- > From: Leonard Lee [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 22, 2002 4:35 PM > To: 'NT 2000 Discussions' > Subject: RE: Administrative rights > > > Wow, sorry I missed the party guys. That's the problem when > some of us has > to work ;) > > I like the procedure that Juan Rosas has, but with a few > comments of my own > on the solution. > > The primary reason for not giving users Local Adminstration rights is > virus/worm/trojan infection. If you keep this in mind then > you can proceed > to the next logical question, "If I cannot prevent these > users from gaining > Local Administrator rights, how can I further harden the > workstation and my > network systems to prevent/contain a possible > virus/worm/trojan infection of > these workstations." > > Look at hardening the workstation. Hardening the Internal > network with > stuff like Network and host based intrusion detection. The > good hackers and > trojan program can get pass your firewall systems. > > Leonard > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Juan Rosas > > Sent: Friday, March 22, 2002 1:24 PM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > This is what we end up doing, we had many applications that require > > local Admin permission, we tried power users. However, this did not > > work, applications like adobe illustrator will have many problems, > > Another problem we encounter was that many of the editors > will always > > ask for some adding that was not part of the default install, and we > > had to install it for them. After discussing this will all > > the directors we decided to do the following: > > > > in the Server site : > > Create a useradmin group (domain group) that we added to each > > workstations Administrators local group, and all users are > member of > > the useradmin domain group. > > > > Control the windows environment using GPO restrictions like no > > allowing then access to MMC or to open their Network Properties. > > > > We also perform daily scans of their workstations for any > > applications, if anything is flag during the daily scan they are > > disconnected from the LAN. > > There's a problem with the above procedure. If you were hit with a > virus/Worm/trojan, a daily scan is too late. > > Additional safeguards should be put in place. For those Workstations > requiring users in the local Administrators group, you may > want to harden > the station with additional software like Symantec Destop > Firewall. In > addition, local antivirus software should be installed. You > could run daily > scripts to check that these application are still running on > these systems. > > > > > Our firewall has restriction, no allowing downloads from > the internet. > > I know they could bring their own software or viruses, we > treat every > > workstation as a possible attacker to our server subnet. > > > > What about Email? The likelyhood of infection via Email is > greater then > programs downloaded from the internet. By all means, keep > the filters on > the firewall for program downloads, but also add Email > antivirus systems > (ie. SMTP scans, Mailbox - realtime scan - For Exchange > systems: TrendMicro > or Antigen). > > > we also keep a database of what each workstation and what > applications > > they should have if they show anything different they are > disconnected > > from the LAN. > > > > hope this helps > > > > > > -----Original Message----- > > From: Morgan, Joshua [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 12:36 PM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > Are you / Will you be using AD ? > > > > > > > > > > > > Joshua Morgan > > PH: (864) 250-1350 Ext 133 > > Fax: (413) 581-4936 > > [EMAIL PROTECTED] > > > > > > > > -----Original Message----- > > From: Wes Owen [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 12:28 PM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > That is my opinion also, but when it is the application > used by your > > company to write checks and they don't have a replacement you are > > pretty much screwed. > > > > -----Original Message----- > > From: Szlucha, Chris [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 11:26 AM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > Well, that's an very poorly written piece of software > you're using if > > it REQUIRES admin rights to run, and it's just a regular user > > app. IMHO, I'd > > find something else that's written properly. > > > > -----Original Message----- > > From: Wes Owen [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 12:23 PM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > The problem is we do not want them installing their own > stuff, but the > > app is insisting on admin rights just to run, or you have to open > > things up so > > much as to make taking away the rights ineffective. > > > > -----Original Message----- > > From: Woods, Tony G AG:EX [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 11:02 AM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > I'm quite surprised some of you guys even allow users to > install stuff > > on their own. Our support staff install all software if a user > > needs it to do > > their job. Running XP, we've had to be quite inventive to get > > some software > > running properly without bumping up their rights on the local > > box. For the > > most part, the Compatibility Wizard has been a gem. If that > > doesn't work, > > opening rights within the program files or the directory it > > installed to or > > the registry have saved us. Granted there are the guy/gals > > that need local > > Admin rights because they're an Oracle DBA or whatever but > > for the most > > part, a user is just that, a user. > > > > My $.02 CDN ;-( > > > > Cheers, > > Tony > > > > -----Original Message----- > > From: Ron Jameson [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 8:42 AM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > We here (in-house and with clients) are battling the same > problem. We > > encounter many of programs that want an admin to install (ok, the > > RUNAS > > works) but an admin to use the damn thing!!! These programmers are > > nuts if they think we are going to give admin rights to everyone. I > > end up using > > regmon to find out what the program is using in the registry > > and give full > > rights to that part of it (at least for server based > > programs). Local based > > issues I am still trying to find a way to cure it as you are. > > Power users > > group does not always work. Grrr. > > > > Ron Jameson > > James Hamlin Consulting. > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Wes Owen > > Sent: Friday, March 22, 2002 10:20 AM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > > > Ok here is a specific. > > > > 3/22/02 Create-A-Check requires full permissions to the following > > registry keys be granted to the user in order for it to work: > > H_KEY_LOCAL_MACHINE > > -SOFTWARE > > -Borland > > -CAC > > -Create-A-Check, Inc. > > Microsoft > > Windows and/or Windows NT (NT/2000) (make sure rights > > are granted > > for all noted subdirectories) > > Current Version > > - Setup > > Install Extra > > User also needs full control to the c:\Program Files\Common > > Files\Borland > > Shared\ and the subdirectories. User also needs to be > > granted full control > > to the network directory where Create-A-Check is installed, > > and all of the > > subdirectories. > > > > So if we open up the Setup key to everyone that pretty much > kills much > > of the reason for removing the admin rights. I am curious how > > many more apps > > we are going to run into the behave like this. We have only > > tested around > > 75 of 600 applications to be tested. > > > > -----Original Message----- > > From: Ed Esgro [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 10:15 AM > > To: NT 2000 Discussions > > Subject: RE: Administrative rights > > > > > > When you say the applications need admin rights to run. I think you > > may want to be more specific about that. Admin rights > include a lot of > > user rights. > > For example; Act as part of operating system. Add > > workstations to domain. > > Force shutdown from remote system. > > > > So Admin rights are just way too powerful. You should try > to find out > > what the application needs to function properly. Admin rights, is > > like saying you > > need an airplane to get from Florida to NY, but you could > > really accomplish > > that by taking a bus or driving a car or walking. As far as > installing > > applications, I would not empower anyone with this right. > > Just causes tons > > of problems down the road. Before you know it, you have Bonzi > > Buddy on all > > of your damn workstations. > > > > -----Original Message----- > > From: Wes Owen [mailto:[EMAIL PROTECTED]] > > Sent: Friday, March 22, 2002 10:46 AM > > To: NT 2000 Discussions > > Subject: Administrative rights > > > > How many out there do not allow administrative rights on the client > > systems? > > > > We are attempting to put all users into the Power Users > group and I am > > sure you can imagine the stir it is creating. There are > applications > > that require admin rights not only to install, but also to > run. One > > of the manufacturers fix was to grant full rights to the Setup key, > > kinda defeats > > the purpose don't you think? > > > > If you do not put users in the administrative groups do you make > > exceptions for support and development staff? Do you use > > administrative accounts and > > only give support persons rights on admin accounts or do you > > give their user > > account all the rights? > > > > > > This e-mail and any files transmitted with it are > confidential and are > > intended solely for the use of the individual or entity to > whom they > > are addressed. If you are NOT the intended recipient or the > > person responsible > > for delivering the e-mail to the intended recipient, be > > advised that you > > have received this e-mail in error and that any use, dissemination, > > forwarding, printing, or copying of this e-mail is strictly > > prohibited. > > > > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
