Prevent Power users from modifying Local SAM

G

Guest

Hello

I am tring to prevent Power users from creating, adding or modifying local
users and groups.


Thanks
Mike T
 
G

Guest

Sorry I forgot to post my environment.

My environment is 2003 domain with Windows XP pro sp2 and Windows 2000 pro
sp4.

Thanks

MikeT
 
G

Guest

Update:

I applied Deny permissions for Power users on the file
c:\windows\system32\localsec.dll. it worked well for the GUI but the NET
Localgroup command still works.

Any ideas?

thanks
MikeT
 
S

Steven L Umbach

The power users group does have at capability to create new users and groups
and manage those that it creates. It would be best to not make a user a
member of the power users group if you do not want that to happen and try to
resolve why the user needs to be a power user without being a power user.
You could try to give power users deny permissions to net.exe but I would
not consider that a foolproof solution as if the user is determined he could
put another copy of net on the computer or possibly use a script to create
user accounts. Power users also have write access to most everywhere on the
operating system and can also create shares. --- Steve
 
G

Guest

Thanks for the quick response,

The group of people that are testing an application for QA and must have
power user or admin level rights on a local machine to effectivly certify the
application.

Is there a way to manually remove that right or

I guess another way of looking at it is if I deleted the power users or
administrators group,How can I manually creating a group equivalent to power
users or admin with out the ability to modifying the local SAM

thanks

MikeT
 
S

Steven L Umbach

You can't recreate those groups exactly [ not even close to administrators]
but if all the user needs if the proper file/folder/registry permissions
then you could configure that so that the user can have access. There is not
foolproof way to not allow power users to be able to create user accounts as
it is hard coded into the operating system and not a user right/privilege.
You could try applying the compatws.inf security template to a test computer
to see if that works which gives the users group the same file/registry
permissions as power users and then in Local Security Policy give users the
same user rights as power users which I believe would only be profile a
singe system process and change system time but having said that if you are
obligated to do the testing as a power user or administrator you may have to
live with that and the associated inconveniences. --- Steve

http://support.microsoft.com/?kbid=269259 --- works for XP Pro also
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Power User on domain 1
How deny power users that they can create accounts 2
Remove permissions to install software from Power Users group 5
Allow "Power User" to add local Plug-n-Play printer 1
Can I prevent users from modifying styles within template? 1
Local Security Settings (Admin Users) 3
Using GPO to prevent users from installing applications 1
Looking to open snap-in Local Users and Groups 1

Top