alowing regular users (not power users) to change network settings and power options

S

Stephen M

We have a network of Windows 2K and XP pro workstations which are members of
a Win2003 domain.

When we migrated first set up this domain, we made everyone regular users.
Specifically because we did not want people installing programs. Cleaning up
spyware infections was getting to be a full-time job.

It solved the spyware problem, but locked people out of some functions that
they had a legitimate need to get into. Specifically, laptop users need to
occaisionally mess with their network settings and power options would be
nice as well.

Ideally, I would like this to allow this via the domain controller rather
than by administering individual machines.

Could someone point me in the right direction for accomplishing this?

Thanks,

Steve
 
P

Paul Williams [MVP]

With the XP systems, you can add the users to the Network Configuration
Operators local group.

For 2k I don't know. I'd look at all the rights that the aforementioned
group has and try configuring the same for a domain local group in the
lab...
 
H

Herb Martin

Stephen M said:
We have a network of Windows 2K and XP pro workstations which are members
of a Win2003 domain.

When we migrated first set up this domain, we made everyone regular users.
Specifically because we did not want people installing programs. Cleaning
up spyware infections was getting to be a full-time job.

This will not in general prevent installation of programs so it may
not even do what you wanted.

You pretty much have to use a tedious combination of Software
Restriction Groups AND careful NTFS permissions to prevent
installation of programs.
It solved the spyware problem, but locked people out of some functions
that they had a legitimate need to get into. Specifically, laptop users
need to occaisionally mess with their network settings and power options
would be nice as well.

Paul's idea (this thread) seemed helpful for the network portion.
Ideally, I would like this to allow this via the domain controller rather
than by administering individual machines.

Could someone point me in the right direction for accomplishing this?

You can grant rights to do certain task, or even permissions on Files
(but almost no one does that since it is so difficult to get correct) from
a GPO on the DCs. You can also put people into well-known local
groups (like Power Users) from a GPO by using Restricted Groups
(run the GPEdit from a workstation or non-DC server to see those
local groups however.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top