Quite right...back in the NT4 days we got around this by writing admin wrappers that let non-admins elevate themselves for certain tasks. I still have a few old Citrix-based apps where users need to launch them with admin rights and I get around this now by using CPAU, which is a bit fiddly to get working but does the job and costs nothing ( http://www.joeware.net/freetools/tools/cpau/ )
2008/12/11 Free, Bob <[email protected]> > That covers one element of it from a technical standpoint but my primary > point (which I could have stated much clearer) was that if they are > administrators on the box they can do anything they want. Regardless of what > you or I put in a GPO it is relatively trivial to get around it for a > determined person that already has administrative rights. > > > > *From:* James Rankin [mailto:[email protected]] > *Sent:* Thursday, December 11, 2008 2:25 AM > *To:* NT System Admin Issues > *Subject:* Re: deny restart local policy? > > > > just apply a group policy that enforces the SeShutdownPrivilege not to be > applied to local administrators, but to a domain group instead. We used to > have to do this when we were responsible for controlling a domain with > administrators who thought they had the God-given right to take things > offline that were governed by our SLAs. However, you might want to set up > and add to this GPO a local user account that can shut down the system as > well, just in case you lose domain connectivity and find yourself with a > system you can't restart - although there is always the power cord, or > RIB/DRAC/ILO reset function.... > > 2008/12/10 Free, Bob <[email protected]> > > SeShutdownPrivilege (Shut down the system) allows a user to restart, > sleep, or shutdown the computer. > > Be aware that administrators are also granted SeRemoteShutdownPrivilege > (Force shutdown from a remote system) by default. > > That said, I'm not sure how you are going to accomplish this if the > users have local admin rights. > > > -----Original Message----- > From: Rick Berry [mailto:[email protected]] > Sent: Wednesday, December 10, 2008 11:45 AM > To: NT System Admin Issues > Subject: deny restart local policy? > > does the Local Policy/User Rights Assignment/Shut Down The System part > of policy encompass a restart as well as shutdown? > > need to deny folks on a particular TS box that require local admin > rights the ability to reboot it. > > i don't recall if explicit denial of "shut down the system" also means > "you can't reboot it either sucka" > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
