On 21 Mar 2013 at 8:14, Gerry Reno wrote: > On 03/21/2013 05:29 AM, L.P.H. van Belle wrote: > > DONT DO IT !! > > > > This is Administrators 1ste rule !! > > NEVER, but then NEVER giver users Administrator/PowerUser rights. > > > > Do not give the users ability to install software, wrong wrong... > > > > This is you trojans/Virussus etc come in your computer. > > > > and if you do give these rights, > > Do not install Adobe Flash, Adobe Reader, Java. ( especialy Java ) > > > > > > Its simpel, without Admin rights on users, you pc is about 90% more safer. > > if you also remove flash java adobe, you are about 99,5% safe. > > > > If you have an application which needs extra rights. > > Do it save, how... > > > > 1 create a network group voor this App.. example PHOTOSHOPRIGHTS > > > > Set in het registry, on the photoshop, the domain group to able to write. > > ( if needed, us a monitor tool to look which registry things need write > > access ) > > > > Set on the folder ) c:\program files\Photoshop ) the domain group to write. > > > > Now you have a hole on the pc, but no trojan/virus is able to install > > itself. > > > > Good luck. > > > > Louis > > > > > > I would agree, Louis. > > Giving out local admin rights is pretty much sysadmin suicide. > Hasn't been yet, in 15 years of running a network that I built myself. I know the risks. Sometimes, bad things happen. They're not the end of the world. The stuff that needs to be protected is protected. That's why I need to give users *local* admin rights. The easy way would have been to make them all administrators, but I need them to *not* have domain admin rights for the very reasons you mention. If a particular machine gets toasted, it gets wiped and reinstalled. Takes a couple of hours, nothing that matters is lost, and everything is fine. Been there many times.
And we *can't* run our business without using certain software and web sites that were made by people who, let's be polite, made some design choices I wouldn't have made, that necessitate this. Not everybody has the luxury of using purely technical criteria to decide what the "right" way to do things is. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba