They don't even need to be local admins, if you're not whitelisting your apps
http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx But the point is valid, if they are clued up and/or determined enough to go this route, then they really need to be given a job in the IT department or dismissed :-) 2009/4/24 Kennedy, Jim <[email protected]> > > > Not giving you a hard time, your point is valid but in our environment a > user doing what you describe will get you fired, or expelled if you are a > student. At every login all our users agree not to do the kinds of things > you describe, and anyone doing so knows very well they are far over the > line. > > > > Not that our users are local admins. > > > > > > > > *From:* Ken Schaefer [mailto:[email protected]] > *Sent:* Thursday, April 23, 2009 8:18 PM > *To:* NT System Admin Issues > *Subject:* RE: Restricted groups, where have you been.... > > > > > > But in James' case, I can just bring my own copy of cacls.exe (or have a > scheduled job to make a copy of the existing one) and unless SeTakeOwnership > Privilege is removed from the Administrators group I can then get > permissions back to everything that he's just removed. > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
