Domain users = local administrator

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hello

I thought it was a good solution to set all the domain users to be local
administrators by using the KB320065. I wanted here to get over all those
application installation problems that could occur when a user is not a
member of the administrators group. But I realize now that there is a big
trouble with it: users are also administrators of member servers...

So what is the good configuration for domain users, permitting them to
install applications on their local computer without having any problem (we
use Zenworks, a software that has approximatively the same functions than
SMS) without giving them administrative rights on member server ?

In other words, what are the rights of the domain users on their local
workstation ? and are these rights enough ?

Thanks for any reply
Nicolas
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

One common solution is to deliver the software with
user publication in AD. When combined with allowing
MS Installer service to use elevated privs, this lets the
users install the published software even though they
are only limited accounts.
Letting everyone be an admin is not a good idea even
though it addresses the one issue you face.
Your use of the KB
http://support.microsoft.com/?id=320065
could have been customized by selection of what machines
objects you placed into the OU to which the GPO delivering
the restricted group definition was linked. I.e. if you do not
want the member servers impacted then move them out of
the management scope of this GPO.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Nicolas Heyer" <NicolasHeyer@discussions.microsoft.com> wrote in message
news:030EA87C-237D-4763-807E-F3F812250355@microsoft.com...
> Hello
>
> I thought it was a good solution to set all the domain users to be local
> administrators by using the KB320065. I wanted here to get over all those
> application installation problems that could occur when a user is not a
> member of the administrators group. But I realize now that there is a big
> trouble with it: users are also administrators of member servers...
>
> So what is the good configuration for domain users, permitting them to
> install applications on their local computer without having any problem
(we
> use Zenworks, a software that has approximatively the same functions than
> SMS) without giving them administrative rights on member server ?
>
> In other words, what are the rights of the domain users on their local
> workstation ? and are these rights enough ?
>
> Thanks for any reply
> Nicolas