fileacl.exe on a usb stick? Heh. On Thu, Apr 23, 2009 at 00:34, James Rankin <[email protected]> wrote: > Yes, but if they get around the restrictions that I have implemented, then > they can have a job :-) They can't change the false proxy because they are > locked out of the inetcpl.cpl, the regedit tool and the reg.exe tool via > NTFS permissions. And they can't change the NTFS permissions on the files > because they are locked out of rshx32.dll and cacls.exe via NTFS > permissions. There is probably a way around it, but even if they do get > around it, WebSense will alert me straight away to the traffic flowing from > these hosts, in which case I can go and offer them a post in first-line > support. > > 2009/4/23 Ken Schaefer <[email protected]> >> >> If they are administrators, they can defeat GPOs given sufficient >> knowledge... >> >> Cheers >> Ken >> >> ________________________________ >> From: James Rankin [[email protected]] >> Sent: Thursday, 23 April 2009 5:12 PM >> To: NT System Admin Issues >> Subject: Re: Restricted groups, where have you been.... >> >> For those who can remember the NT4 days, GPOs as a whole are an awesome >> admin tool. When I managed an NT4 network with 10,000 users I actually had >> batch scripts running overnight that reset the user rights on all DCs and >> members servers, checked the local group memberships and altered them back >> to a default if they'd changed. Group Policy finally made my life easy. >> >> I just recently implemented a group policy that blocks internet access on >> our few scanning workstations even though the users are admins...a >> combination of a false proxy and restrictive file permissions on >> inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the trick. >> Power is great!!!! >> >> 2009/4/22 David Lum <[email protected]> >>> >>> …all my life! We are just getting to use this feature and it’s DA BOMB! >>> Being able to add users to local groups w/out affecting the existing >>> memberships is awesome! >>> >>> >>> >>> We are narrowing down how many Domain Admins we have and this feature is >>> *hugely* helpful in delegating to non domain admins. >>> >>> David Lum // SYSTEMS ENGINEER >>> NORTHWEST EVALUATION ASSOCIATION >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 >>> >>> >>> >>> >>> >>> >> >> >> >> >> >> >> >> > > > >
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
