Reg .software installation previllages

[Guest]

Hi,

I am running windows 2000 advanced server as domain controller.I have around
50-60 user in the active directory server.I want to restrict the
installation of particualr or any software domain computers,. eventhough the
user is a member of domain admin group..Is it possible?

Any help will be greatly appreciated!

Thanks,
Rizwan

 

[Guest]

If the clients are running Windows XP you can look at using Software
Restriction policies.

Google this and see what you think.

 

[mark]

As a rule I highly disagree with restricting what Domain Admin users
can install or otherwise do, by GPO or any means. If you want to
restrict your users, your first step should be to take them out of
Domain Admins.

 

[Guest]

Hi mark,

Thanks for you advice!

I am running the VSS 6.0 (visual source safe)in that server. if i take them
out of domain admin group then VSS is not working fro the clinets.

Expecting your help

Thanks in advance
Rizwan

 

[Guest]

Hi paul,

i have XP clients in my network. so can you pls tell from where i should
start for software restrcition previllages in the domain controller.

Rizwan

 

[mark]

Are your users doing development work on DCs, or member
servers/workstations? You really shouldn't use domain admin membership
to grant them local administrative access to the systems they use for
development. Either add them individually to the local administrators
group on their development platforms, or create a domain group called
"VSS Developers" and add that group to your local administrators
groups.

Anyway, if you want to restrict the software that can be run by your
users, look in to software restriction group policy. I'm including a
link to resources for understanding the process. Be very careful about
what your restrict and for whom, especially for administrators...

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

 

[Guest]

Hi Mark,


My Developement team are the user active dicrectory domain controller.Team
is working on member workstations of the domain cotroller also the ADC acts
as like file server.

Since They login as domain user then how will i give the local administrator
prvillages for the machine?


or pls advice me how should i control the software restriction policy from
domain controller levelitself, so that i need not to go each and every to
machine to set the restriction policies in the indivually.


Thanks in advance!
Rizwan

 

[mark]

I am still not sure what administrative rights your developers need.

Usually, a developer only needs administrative rights on their local
workstation. In this case their domain user account can be added to the
local Administrators group on that workstation.

If the developer needs administrative rights on a server because they
are developing on that server, they can be added to the local
administrators group on that server.

If for some reason they are developing directly on a DC, they should be
working on their own isolated active directory environment in a
separate forest from your production environment. You can give them
administrative access to the local box by adding them to the domain
group "Administrators", which is effectively the local administrators
group for all DCs in the domain. However they wouldn't have
administrative access to the domain, which they probably need if
they're developing something that runs on a DC. Go ahead and put them
in the domain admins group, since they are in an isolated active
directory forest and can't hurt your production forest. But if they're
in an isolated forest, you shouldn't be worried about preventing them
from running any apps - which brings me back to the whole question of
why you need to do this in the first place?

The software restriction group policy, if you need it, should be
created from Group Policy Management Console and linked to an
Organization Unit that only contains the computer accounts (or user
accounts) you wish it to apply to.