You can add the local user "INTERACTIVE" to the local Administrators group on each machine and remove all except Domain Admins. That gives the person that is logged on locally administrative rights, but they only have the right while they are logged on. When you are adding the account to the list, you have to type in "INTERACTIVE", it is not an option that you can select from a list.
Greg -----Original Message----- From: Alexander Kha Do [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 3:53 PM To: NT 2000 Discussions Subject: RE: Remote Admin shares You're correct. I didn't clarify. It's to install software and to install local printers that we have these admin rights. Believe me I envy non-academic environments. It's easier to tell people what they can and cannot do. And it's a very big effort to understand and try to fix all the special software these science professors install - when you don't have admin rights it gets nearly impossible because none of the software is Win2K logo'ed. As for connect to a network printer, like I said - pulling the "Everyone" group out of the "Access this computer from the network" policy kills that. Oh well, I guess I'll try calling MS but it seems like no one knows how to help my printing problem. ASB - got any ideas? ~Alex -----Original Message----- From: Lum, David [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 1:43 PM To: NT 2000 Discussions Subject: RE: Remote Admin shares "Software software software" - you mean installs, right? You don't need admin rights to share a local printer or files nor to be able to connect to a network printer. I know I don't understand you're particular situation and no offense, but the price of everyone having local admin rights pretty much eliminates your ability to protect the machines from anyone except the most ignorant user. I don't envy you guys in academics, Hara Kiri sounds like a more pleasurable activity! "Here's your sword, eviscerate yourself but don't bleed on the ground..." Dave "Thank you, may I have another?" Lum - [EMAIL PROTECTED] Sr. Network Specialist - Textron Financial 503-675-5510 -----Original Message----- From: Alexander Kha Do [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 13:24 PM To: NT 2000 Discussions Subject: RE: Remote Admin shares That just happens to be our current policy. Software, software, software. Plus local printers. No we are not peer-to-peer. I understand the "why do you want to have everyone as local admins?" question, but a lot of people do what we do. Especially in academics. We can't enforce software standards as strongly as corporate offices can. ~Alex -----Original Message----- From: Lum, David [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 12:22 PM To: NT 2000 Discussions Subject: RE: Remote Admin shares The solution is not to make everyone a local admin of everyone else's PC. Why would you need/want to do this? Are you peer-to-peer? Even then you shouldn't need to do that. Dave Lum - [EMAIL PROTECTED] Sr. Network Specialist - Textron Financial 503-675-5510 -----Original Message----- From: Alexander Kha Do [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 12:15 PM To: NT 2000 Discussions Subject: RE: Remote Admin shares Well here's the problem. a) Users are local admins of EVERYONE's machines. We used a global group for this. b) We found that of course they could connect to anyone's hard drive through the C$ share. c) We changed the group policy for "Access thes computer from a network" to Domain admins rather than everyone. d) Step c) solved our remote access problem but caused a new one - no one could connect to a network printer. When someone tried to open the printer it said "Unable to open, Access Denied." I guess there is some kind of reverse access permission needed when attaching to a network printer. So basically I wanted to see if anyone has a solution for this dilemma. We need people to be local admins of their machines, but we don't want them accessing other people's machines. It's impractical to make a specific person a local admin on each specific machine - people and computers are too portable. And if we fix that problem, we can't print. ~Alex -----Original Message----- From: Greg Eytcheson [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 11:47 AM To: NT 2000 Discussions Subject: RE: Remote Admin shares As long as the workstations don't need to share printers or other file shares, you should be able to accomplish this by revoking the "Access this computer from a network" rights for everyone except Domain Admins. If you are using XP (maybe W2K too), there is also an option to "Deny access to this computer from the network" that you could add the Staff group into. Greg -----Original Message----- From: Alexander Kha Do [mailto:[EMAIL PROTECTED] Sent: Friday, March 14, 2003 1:01 PM To: NT 2000 Discussions Subject: Remote Admin shares If someone is a local admin of a machine, is there a way to restrict their ability to access the c$ share of the machine? Our situation is such that we have a "staff" group which has local admin rights to the standard workstations. Is there any way to make it so that they cannot UNC to the C$ of their coworkers' computers, but we can sitll get in as Domain Admins? ~Alex ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
