Power User Privilages XP/2000

[Guest]

Is there anyway to modify Group Policies for Power Users on both XP and 2000?
The only thing I've been able to find on XP is in the Local Security
Settings, but wat I'm looking for isn't in there. I want to be able to
modify Power Users so that they aren't able to create user accounts and or
change accounts to a higher access account (i.e. admin). I understand that
if I wanted to do that I should just make a user account, but then the user
account doesn't have sufficient privilages.

If you understand what I'm trying to get at, any help would be appreciated.

 

[Roger Abell [MVP]]

Is there anyway to modify Group Policies for Power Users on both XP and
2000?
The only thing I've been able to find on XP is in the Local Security
Settings, but wat I'm looking for isn't in there. I want to be able to
modify Power Users so that they aren't able to create user accounts and or
change accounts to a higher access account (i.e. admin). I understand
that
if I wanted to do that I should just make a user account, but then the
user
account doesn't have sufficient privilages.

If you understand what I'm trying to get at, any help would be
appreciated.

You understand correctly. Some grants to PU may are
wired beyond normal means of configurability.

What is insufficient with a limited account?
That can often be worked out.

Roger

 

[Guest]

You understand correctly. Some grants to PU may are
wired beyond normal means of configurability.

What is insufficient with a limited account?
That can often be worked out.

Roger

Well here's the deal. I've been trying to configure the settings on my
Domain Controller by creating a group called "PowerTester". What I want that
group to do is have the rights of the PU group except be able to config Users
and add Users. Now, with all my tinkering, I have yet to figure out how I
can be able to do this. I've spent half a day looking in the GPO, but to
no-avail.

Now, my question would be, is there any possible way for me to create a
group that has all the rights as a PU <i>except</i> rights to the User Accout
settings section?

Thanks in Advance,
Ben Chi

 

[Roger Abell [MVP]]

Well here's the deal. I've been trying to configure the settings on my
Domain Controller by creating a group called "PowerTester". What I want
that
group to do is have the rights of the PU group except be able to config
Users
and add Users. Now, with all my tinkering, I have yet to figure out how I
can be able to do this. I've spent half a day looking in the GPO, but to
no-avail.

Now, my question would be, is there any possible way for me to create a
group that has all the rights as a PU <i>except</i> rights to the User
Accout
settings section?

Thanks in Advance,
Ben Chi

Ben,

There is no way. Server Operator carries some things, but
no, I do not know of a way to do that. I believe MS has not
invested effort to make it possible since, on a domain controller,
giving out more than just user (like allowing right to install
software or drivers) is essentially giving away enough to let
that account make itself a Domain Admins member.
Now, you can make the account a member of Administrators
in the domain and that gives them full control over the DC,
but not over AD (and hence its users and groups).

There is a chance that what you were saying is that you
want to make some account(s) like Power Users on some
set of client systems, rather than saying you want to make
them have these rights on the DC(s). The same comments
apply, that PU allows elevation to admin; but you could
use GPO settings to make a custom group of domain users
members of PU on that set of machines.

Roger

 

[Guest]

Thanks for all your Help Roger,

Quick question, there's no way to take compmgmt.msc privliages away from
Power users?

 

[Roger Abell [MVP]]

Thanks for all your Help Roger,

Quick question, there's no way to take compmgmt.msc privliages away from
Power users?

Interesting question, from a couple angles.
First, although group policy allows one to control mmc tools
available to users, differentially by which users, Power Users
however is the machine local Power Users the membership of
which is neither always only domain account nor predictable.
Second, compmgmt.msc is actually a collection of other mmc
snapins which the accounts could access by building custom
mmc consoles and adding them.
Third, if the specific capabilities that you want them to not
have, and from which you ask about disallowing compmgmt.msc
access, are granted to them as Power Users, then they could
easily find other ways to do most things (script, third-party
tools/utilities, reskit, etc.).
So, in short, no, I do not believe there is a simple way to
get to what I think is your objective. Software restriction
policy and use of the group policy settings that control mmc
tool availability could get you part way there, but with some
major effort.

 

[Guest]

Thanks Roger...

Quick question...

Can I set up a group to just be able to do everything but mess with the user
accounts?

 

[Guest]

Or, how would I modify the user group to just be able to install software?