Please help, I have a setup of Win XP Pro SP2 where Power Users can
enable/disable devices in the Device Manager, which I absolutely want
to prevent.

I suppose that's not a standard setup for WinXP, but I cannot find how
to change the security restrictions of Device Manager.

Excuse me if it's a trivial question, but it's an urgent matter and I
didn't manage to find a helpful answer in groups and websites.

Thank you,
/_urka

In news:(E-Mail Removed),
Lurka <(E-Mail Removed)> typed:
> Please help, I have a setup of Win XP Pro SP2 where Power Users can
> enable/disable devices in the Device Manager, which I absolutely want
> to prevent.
>
> I suppose that's not a standard setup for WinXP, but I cannot find how
> to change the security restrictions of Device Manager.
>
> Excuse me if it's a trivial question, but it's an urgent matter and I
> didn't manage to find a helpful answer in groups and websites.
>
> Thank you,
> /_urka

First question is, why do these users belong to the Power Users group? There
may be other ways to accomplish what you / they need - and that won't
involve your having to poke around in security policies changing granular
settings (presuming you even can).

Lanwench [MVP - Exchange] wrote:
> First question is, why do these users belong to the Power Users group?

Because some custom apps won't work as restricted user.
In any case, I found it: the "load and unload device drivers" setting
under User Rights Assignment. I restricted it to admins only. It was
trivial, after all.

Thanks anyway,
/_urka

In news:(E-Mail Removed),
Lurka <(E-Mail Removed)> typed:
> Lanwench [MVP - Exchange] wrote:
>> First question is, why do these users belong to the Power Users
>> group?
>
> Because some custom apps won't work as restricted user.
> In any case, I found it: the "load and unload device drivers" setting
> under User Rights Assignment. I restricted it to admins only. It was
> trivial, after all.
>
> Thanks anyway,
> /_urka

OK - another option would be to figure out what these custom apps expect the
user to be able to modify/write to. FileMon and RegMon from
www.sysinternals.com will help immensely. I prefer not to give users
anything other than user rights....there's a ton of stuff they could
accidentally, or deliberately, muck up even with Power User rights.

Lanwench [MVP - Exchange] wrote:
> anything other than user rights....there's a ton of stuff they could
> accidentally, or deliberately, muck up even with Power User rights.

I sadly know. Malware and crapware roam freely, but defining granular
security in folders and registry for all the standard and custom apps
would be even more troublesome. Corporate policy allows access to the
device manager, only this time I needed to restrict the device manager
for a special purpose.

Goodbye,
/_urka

Hi Lurka

You should be able to get a fair bit of control by implementing group
policies from your server

I am an administrator with lots of legacy applications like you and I
have to grant Power User rights. I find group policies to be highly
effective in removing access to features that users shouldn't be
touching.

There's lots of material out there on the Internet about policies,
including:
http://www.windowsecurity.com/articl...ain-Part1.html

Group policies don't solve every problem - sometimes it's necessary to
block read access for certain groups to specific programs as well
(using XCACLS), but only trial and error will tell you what you need to
do

Good luck

Peter

Lurka wrote:
> Lanwench [MVP - Exchange] wrote:
> > anything other than user rights....there's a ton of stuff they could
> > accidentally, or deliberately, muck up even with Power User rights.
>
> I sadly know. Malware and crapware roam freely, but defining granular
> security in folders and registry for all the standard and custom apps
> would be even more troublesome. Corporate policy allows access to the
> device manager, only this time I needed to restrict the device manager
> for a special purpose.
>
> Goodbye,
> /_urka