restrict power user

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Does anyone know what group policy setting or a registry change that I could
make to prevent a power user from creating user accounts?

Arc J. Thames
MCSE/MCSA 2k/2k3 MCT
4 answers Last reply
More about restrict power user
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Arc,

    I was looking through the KB articles trying to come up with an answer -- I
    was first thinking this could be done with one of the Local Security Policy
    settings but I am not finding it. I did find a good article on exactly
    what a Power User has rights to
    (http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur
    ity/secdefs.mspx#ECAA)

    but nothing that specifically addresses your problem. Sorry. Anyone else?

    --
    Ryan Hanisco
    MCSE, MCDBA
    Flagship Integration Services

    "Arc J. Thames" <revarcjt@hotmail.com> wrote in message
    news:O0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
    > Does anyone know what group policy setting or a registry change that I
    could
    > make to prevent a power user from creating user accounts?
    >
    > Arc J. Thames
    > MCSE/MCSA 2k/2k3 MCT
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Ok... reading that further answers the question... you can't:

    [Power Users can]Create local users and groups.

    . Modify users and groups that they have created.

    . Create and delete non-admin file shares.

    . Create, manage, delete and share local printers.


    All other additional rights, such as Change System Time, or Stop and Start
    non-autostarted services, can be reconfigured for the Power User by
    modifying the appropriate user rights or configuring the appropriate ACL.

    Since there is no way to disable the built-in permissions allotted to Power
    Users, administrators who need to support non-certified legacy applications
    must loosen up the permissions allotted to members of the Users group to the
    point where their installed base of applications can be successfully run.
    The Windows 2000 operating system includes a security template for precisely
    this purpose. The template is named compatws.inf and can be found in the
    %windir%\security\templates directory. The template can be applied to a
    system using the Security Configuration Toolset. For example, the
    secedit.exe command line component of the Toolset can apply the template as
    follows:


    --
    Ryan Hanisco
    MCSE, MCDBA
    Flagship Integration Services

    "Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
    news:ueZLbAI6EHA.2876@TK2MSFTNGP12.phx.gbl...
    > Arc,
    >
    > I was looking through the KB articles trying to come up with an answer --
    I
    > was first thinking this could be done with one of the Local Security
    Policy
    > settings but I am not finding it. I did find a good article on exactly
    > what a Power User has rights to
    >
    (http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur
    > ity/secdefs.mspx#ECAA)
    >
    > but nothing that specifically addresses your problem. Sorry. Anyone
    else?
    >
    > --
    > Ryan Hanisco
    > MCSE, MCDBA
    > Flagship Integration Services
    >
    > "Arc J. Thames" <revarcjt@hotmail.com> wrote in message
    > news:O0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
    > > Does anyone know what group policy setting or a registry change that I
    > could
    > > make to prevent a power user from creating user accounts?
    > >
    > > Arc J. Thames
    > > MCSE/MCSA 2k/2k3 MCT
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Set permissions in AD, depending on your design hierarchy you can be very
    granular on what a user can and can't do.

    Regards,
    /Jimmy
    --
    Jimmy Andersson, Q Advice AB
    Microsoft MVP - Directory Services
    ---------- www.qadvice.com ----------


    "Arc J. Thames" <revarcjt@hotmail.com> wrote in message
    news:O0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
    > Does anyone know what group policy setting or a registry change that I
    > could
    > make to prevent a power user from creating user accounts?
    >
    > Arc J. Thames
    > MCSE/MCSA 2k/2k3 MCT
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@mvps.org> wrote in message
    news:#F$cm3F6EHA.1596@tk2msftngp13.phx.gbl...
    > Set permissions in AD, depending on your design hierarchy you can be very
    > granular on what a user can and can't do.

    Except the Power User group is strictly a Computer
    local group and so any accounts being created by
    members of that group would necessarily be on
    the individual computers.

    There is likely no (convenient) way to have a
    Power User privileges decreased so the answer
    becomes "remove them from Power Users" and
    perhaps use the CompatWS.inf Security Template
    to relax the restrictions.

    Or he should tell us the reason they were made
    Power Users to start.
Ask a new question

Read More

Microsoft Power Active Directory Windows