No its not. Of the ~600 employees I support, eliminate 100+ developers, 125+ customer support techs, another 75+ systems engineers, and a handful of others...
Wow - I can lock down the 30 people in accounting and the 45 sales people. Big whoopie. -------------------------------------------------------------- Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Alexander Kha Do [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 4:53 PM > To: NT 2000 Discussions > Subject: RE: Remote Admin shares > > > You're correct. I didn't clarify. It's to install software > and to install local printers that we have these admin > rights. Believe me I envy non-academic environments. It's > easier to tell people what they can and cannot do. And it's > a very big effort to understand and try to fix all the > special software these science professors install - when you > don't have admin rights it gets nearly impossible because > none of the software is Win2K logo'ed. > > As for connect to a network printer, like I said - pulling > the "Everyone" group out of the "Access this computer from > the network" policy kills that. Oh well, I guess I'll try > calling MS but it seems like no one knows how to help my > printing problem. > > ASB - got any ideas? > > ~Alex > > -----Original Message----- > From: Lum, David [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 1:43 PM > To: NT 2000 Discussions > Subject: RE: Remote Admin shares > > > "Software software software" - you mean installs, right? You > don't need admin rights to share a local printer or files nor > to be able to connect to a network printer. I know I don't > understand you're particular situation and no offense, but > the price of everyone having local admin rights pretty much > eliminates your ability to protect the machines from anyone > except the most ignorant user. > > I don't envy you guys in academics, Hara Kiri sounds like a > more pleasurable activity! "Here's your sword, eviscerate > yourself but don't bleed on the ground..." > > Dave "Thank you, may I have another?" Lum - > [EMAIL PROTECTED] Sr. Network Specialist - Textron > Financial 503-675-5510 > > > -----Original Message----- > From: Alexander Kha Do [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 13:24 PM > To: NT 2000 Discussions > Subject: RE: Remote Admin shares > > > That just happens to be our current policy. Software, > software, software. Plus local printers. No we are not > peer-to-peer. I understand the "why do you want to have > everyone as local admins?" question, but a lot of people do > what we do. Especially in academics. We can't enforce > software standards as strongly as corporate offices can. > > ~Alex > > -----Original Message----- > From: Lum, David [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 12:22 PM > To: NT 2000 Discussions > Subject: RE: Remote Admin shares > > > The solution is not to make everyone a local admin of > everyone else's PC. Why would you need/want to do this? Are > you peer-to-peer? Even then you shouldn't need to do that. > > Dave Lum - [EMAIL PROTECTED] > Sr. Network Specialist - Textron Financial > 503-675-5510 > > > -----Original Message----- > From: Alexander Kha Do [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 12:15 PM > To: NT 2000 Discussions > Subject: RE: Remote Admin shares > > > Well here's the problem. > > a) Users are local admins of EVERYONE's machines. We used a > global group for this. > > b) We found that of course they could connect to anyone's > hard drive through the C$ share. > > c) We changed the group policy for "Access thes computer from > a network" to Domain admins rather than everyone. > > d) Step c) solved our remote access problem but caused a new > one - no one could connect to a network printer. When > someone tried to open the printer it said "Unable to open, > Access Denied." I guess there is some kind of reverse access > permission needed when attaching to a network printer. > > So basically I wanted to see if anyone has a solution for > this dilemma. We need people to be local admins of their > machines, but we don't want them accessing other people's > machines. It's impractical to make a specific person a local > admin on each specific machine - people and computers are too > portable. And if we fix that problem, we can't print. > > ~Alex > > -----Original Message----- > From: Greg Eytcheson [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 11:47 AM > To: NT 2000 Discussions > Subject: RE: Remote Admin shares > > > As long as the workstations don't need to share printers or > other file shares, you should be able to accomplish this by > revoking the "Access this computer from a network" rights for > everyone except Domain Admins. If you are using XP (maybe W2K > too), there is also an option to "Deny access to this > computer from the network" that you could add the Staff group into. > > Greg > > -----Original Message----- > From: Alexander Kha Do [mailto:[EMAIL PROTECTED] > Sent: Friday, March 14, 2003 1:01 PM > To: NT 2000 Discussions > Subject: Remote Admin shares > > > If someone is a local admin of a machine, is there a way to > restrict their ability to access the c$ share of the machine? > > Our situation is such that we have a "staff" group which has > local admin rights to the standard workstations. Is there any > way to make it so that they cannot UNC to the C$ of their > coworkers' computers, but we can sitll get in as Domain Admins? > > ~Alex > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to %%email.unsub%% > ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
