M
MT DOJ Help Desk
We have recently upgraded our computers to XP, and now we are in the process
of creating user accounts. We have two machines that are shared by a number
of employees. Because of the nature of our work, each user account on these
two machines needs to have administrative priviledges. However, with
administrative priviledges also comes the ability to create, edit, and
delete accounts, which we would like to lock down so that only one user can
do those things.
I've tried removing the Administrators group from the permissions on
compmgmt.msc and mmc.exe, and then adding a specific user account to the
permissions on those files, and that does make it hard enough to access the
Computer Management tool that most of our users won't be able to get past
those measures. However, no matter what I tried, I found that I could
always find a way to get in to Computer Management. When signed on with an
account that did not have permissions on the files, but that was part of the
Administrators group, all I had to do was take ownership, and then add the
account to the permissions on the files. Besides, there are other ways to
create, edit, and delete accounts. A user could access the User Accounts
applet in the Control Panel, or add the Computer Management snap-in to a
console--even when they don't have the permissions to run it directly--and
use it that way. So I'd like to find a more systemic solution, if possible.
Is there a way to make it so that an account that is part of the
Administrators group is completely locked out of the ability to create,
edit, and delete accounts? Likewise, is it possible to prevent accounts
belonging to the Administrators group from doing certain things, like
formatting the hard drive, so that those kinds of functions can be
restricted to a single account?
--Tom
of creating user accounts. We have two machines that are shared by a number
of employees. Because of the nature of our work, each user account on these
two machines needs to have administrative priviledges. However, with
administrative priviledges also comes the ability to create, edit, and
delete accounts, which we would like to lock down so that only one user can
do those things.
I've tried removing the Administrators group from the permissions on
compmgmt.msc and mmc.exe, and then adding a specific user account to the
permissions on those files, and that does make it hard enough to access the
Computer Management tool that most of our users won't be able to get past
those measures. However, no matter what I tried, I found that I could
always find a way to get in to Computer Management. When signed on with an
account that did not have permissions on the files, but that was part of the
Administrators group, all I had to do was take ownership, and then add the
account to the permissions on the files. Besides, there are other ways to
create, edit, and delete accounts. A user could access the User Accounts
applet in the Control Panel, or add the Computer Management snap-in to a
console--even when they don't have the permissions to run it directly--and
use it that way. So I'd like to find a more systemic solution, if possible.
Is there a way to make it so that an account that is part of the
Administrators group is completely locked out of the ability to create,
edit, and delete accounts? Likewise, is it possible to prevent accounts
belonging to the Administrators group from doing certain things, like
formatting the hard drive, so that those kinds of functions can be
restricted to a single account?
--Tom