Custom user group in windows XP

G

Guest

Hello everybody

My users domain accounts are in the local administrators groups of their
local XP PC's.
I want to move the domain accounts from local administrators to a group
where they can still install ALL software, change the system time, install
windows updates, and all other user tasks
BUT
that they do not have the right to change the domain membership, create new
local users, add (or remove) users to the local admins user group.

Power users cannot install all software (rising to most software for some
users) so that isn't a solution. Really, it's not.

I believe I need to create a new custom local group on each PC, add the
users domain accounts to it and somehow grant that account enough rights to
do the above tasks, whilst dening them the rights to change domain
membership, etc.

N.B. We (will soon!) have a 2003 domain for group policies, etc.

How do I go about assigning these rights to a custom local group?
How do I automate this for 250 XP PC's?

Thanks in advance

Andy.
 
S

Steven L Umbach

What you want to do is not possible. They will need to be local
administrators from your description. Having said that you can use Group
Policy to restrict enough access to even the local administrator to deter
all but the most skilled and determined users. For instance you can block
access to mmc snapins, the registry, the command prompt, etc and use
Software Restriction Policies to restrict what a user can install and run on
there computer though a local administrator can bypass SRP by booting into
safe mode if they know such. Also any .msi software packages can be assigned
or published via Group Policy so that they can be installed by the
"computer" or user even if they do not have any elevated privileges
normally. --- Steve
 
G

Guest

Thanks for your reply.

Andy

Steven L Umbach said:
What you want to do is not possible. They will need to be local
administrators from your description. Having said that you can use Group
Policy to restrict enough access to even the local administrator to deter
all but the most skilled and determined users. For instance you can block
access to mmc snapins, the registry, the command prompt, etc and use
Software Restriction Policies to restrict what a user can install and run
on there computer though a local administrator can bypass SRP by booting
into safe mode if they know such. Also any .msi software packages can be
assigned or published via Group Policy so that they can be installed by
the "computer" or user even if they do not have any elevated privileges
normally. --- Steve
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Power User on domain 1
can not add myself into the local admin group. But am the Domain A 1
Remove permissions to install software from Power Users group 5
Adding Security Group to Windows XP administrators 2
Do I need a Local admin account? 2
what kind of user rights yo give to domain users? 4
Windows XP SP2 profiles. 1
How to Import CSV into Local Group 3

Top