Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Cary,
Thanks for your explanation. Actually I was managing
Windows 2000 network for a year. In the last year I try
to set user just the User, not local admin but since that
I get a lot of complain from my user until I set back
them as local admin.
This Week I try to remove them from local user again
after I (little) understand how to using GPO to manage
user. But this 3 days I get alot of complain again like:
1. Some user cannot open email attachment like Winzip,
jpg because registration error when try to open using MS
Picture Manager.
2. One of my user still using DOS application and that
mean I have to set printer to LPT1 using NET USE command.
It's ask for user and password but not if I set as local
admin.
3. My mobile user cannot change their IP when they go to
the branch which is still using static IP.
That what I get for three days. So, May be you can give
another solution the best setting for User?
Best Regards,
Cahya
>-----Original Message-----
>Cahya,
>
>As the other two posters have already pointed out, how
exactly do you plan
>to accomplish something like this? If the domain user
account object is a
>member of the computer's local Administrators group how
do think that the
>domain user account could be prevented from installing
software on that
>machine? If your domain user account object is a member
of the local
>Administrators group then you have all of the
permissions to the file
>directory and registry that are necessary to install
software as it is the
>permissions to the file directory and registry that is
preventing the domain
>user account object from installing software in the
first place.
>
>I am not sure if you know that by default the Domain
Users group is a member
>of the Users local group on all WIN2000 and WIN XP Pro
systems. And,
>naturally, all domain user account objects - save a few -
are members of the
>Domain Users group. This ( the local Users group ) is a
very restrictive
>group.
>
>As both of the previous posters have correctly asked,
what is it that you
>are trying to accomplish? We might be able to help you
get to where you are
>trying to get without having to do something that is
going to ultimately
>cause you a whole bunch of problems. I speak from
experience ( where I
>used to work - in a 300+ environment - my colleagues
would often log on as
>local Administrator and change the local group
membership of the domain user
>account object from Power Users to Administrators and
forget to change that
>back when they were finished.....lots of stupid things
happened on those
>systems, like people deleting their FONTS folder in
order to make more room
>for their music files or, er, 'pictures'. And that is a
tame example of
>what sort of thing would happen ).
>
>You could also go to
http://www.sysinternals.com and use
both filemon and
>regmon to see what registry entry / entries are causing
your a problem (
>assuming that you are trying to install software and are
being told that you
>have to be a member of the local Administrators to do
so ).
>
>HTH,
>
>Cary
>
>
>
>"Cahya" <anonymous@discussions.microsoft.com> wrote in
message
>news:3de901c4ac5e$5fe01200$a501280a@phx.gbl...
>> Dear,
>>
>> I want make all user as local administrator member but
>> want to prevent them to install new software in their
PC.
>>
>> What's setting I have to change in GPO?
>>
>> Thanks,
>> Cahya
>
>
>.
>