Sign in with
Sign up | Sign in
Your question

restrict power user

Last response: in Windows 2000/NT
Share
Anonymous
December 22, 2004 11:54:35 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Does anyone know what group policy setting or a registry change that I could
make to prevent a power user from creating user accounts?

Arc J. Thames
MCSE/MCSA 2k/2k3 MCT

More about : restrict power user

Anonymous
December 22, 2004 8:43:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Arc,

I was looking through the KB articles trying to come up with an answer -- I
was first thinking this could be done with one of the Local Security Policy
settings but I am not finding it. I did find a good article on exactly
what a Power User has rights to
(http://www.microsoft.com/technet/prodtechnol/windows200...
ity/secdefs.mspx#ECAA)

but nothing that specifically addresses your problem. Sorry. Anyone else?

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Arc J. Thames" <revarcjt@hotmail.com> wrote in message
news:o 0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
> Does anyone know what group policy setting or a registry change that I
could
> make to prevent a power user from creating user accounts?
>
> Arc J. Thames
> MCSE/MCSA 2k/2k3 MCT
>
>
Anonymous
December 22, 2004 8:53:50 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Ok... reading that further answers the question... you can't:

[Power Users can]Create local users and groups.

. Modify users and groups that they have created.

. Create and delete non-admin file shares.

. Create, manage, delete and share local printers.


All other additional rights, such as Change System Time, or Stop and Start
non-autostarted services, can be reconfigured for the Power User by
modifying the appropriate user rights or configuring the appropriate ACL.

Since there is no way to disable the built-in permissions allotted to Power
Users, administrators who need to support non-certified legacy applications
must loosen up the permissions allotted to members of the Users group to the
point where their installed base of applications can be successfully run.
The Windows 2000 operating system includes a security template for precisely
this purpose. The template is named compatws.inf and can be found in the
%windir%\security\templates directory. The template can be applied to a
system using the Security Configuration Toolset. For example, the
secedit.exe command line component of the Toolset can apply the template as
follows:


--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Ryan Hanisco" <rhanisco@flagshipis.com> wrote in message
news:ueZLbAI6EHA.2876@TK2MSFTNGP12.phx.gbl...
> Arc,
>
> I was looking through the KB articles trying to come up with an answer --
I
> was first thinking this could be done with one of the Local Security
Policy
> settings but I am not finding it. I did find a good article on exactly
> what a Power User has rights to
>
(http://www.microsoft.com/technet/prodtechnol/windows200...
> ity/secdefs.mspx#ECAA)
>
> but nothing that specifically addresses your problem. Sorry. Anyone
else?
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "Arc J. Thames" <revarcjt@hotmail.com> wrote in message
> news:o 0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
> > Does anyone know what group policy setting or a registry change that I
> could
> > make to prevent a power user from creating user accounts?
> >
> > Arc J. Thames
> > MCSE/MCSA 2k/2k3 MCT
> >
> >
>
>
Related resources
Anonymous
December 22, 2004 11:35:07 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Set permissions in AD, depending on your design hierarchy you can be very
granular on what a user can and can't do.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------


"Arc J. Thames" <revarcjt@hotmail.com> wrote in message
news:o 0j0k2D6EHA.3368@TK2MSFTNGP10.phx.gbl...
> Does anyone know what group policy setting or a registry change that I
> could
> make to prevent a power user from creating user accounts?
>
> Arc J. Thames
> MCSE/MCSA 2k/2k3 MCT
>
>
Anonymous
December 22, 2004 11:35:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@mvps.org> wrote in message
news:#F$cm3F6EHA.1596@tk2msftngp13.phx.gbl...
> Set permissions in AD, depending on your design hierarchy you can be very
> granular on what a user can and can't do.

Except the Power User group is strictly a Computer
local group and so any accounts being created by
members of that group would necessarily be on
the individual computers.

There is likely no (convenient) way to have a
Power User privileges decreased so the answer
becomes "remove them from Power Users" and
perhaps use the CompatWS.inf Security Template
to relax the restrictions.

Or he should tell us the reason they were made
Power Users to start.
!