restrict power user

Arc J. Thames · Dec 22, 2004

Does anyone know what group policy setting or a registry change that I could
make to prevent a power user from creating user accounts?

Arc J. Thames
MCSE/MCSA 2k/2k3 MCT

Jimmy Andersson [MVP] · Dec 22, 2004

Set permissions in AD, depending on your design hierarchy you can be very
granular on what a user can and can't do.

Regards,
/Jimmy

Herb Martin · Dec 22, 2004

Jimmy Andersson said:
Set permissions in AD, depending on your design hierarchy you can be very
granular on what a user can and can't do.

Except the Power User group is strictly a Computer
local group and so any accounts being created by
members of that group would necessarily be on
the individual computers.

There is likely no (convenient) way to have a
Power User privileges decreased so the answer
becomes "remove them from Power Users" and
perhaps use the CompatWS.inf Security Template
to relax the restrictions.

Or he should tell us the reason they were made
Power Users to start.

Ryan Hanisco · Dec 22, 2004

Arc,

I was looking through the KB articles trying to come up with an answer -- I
was first thinking this could be done with one of the Local Security Policy
settings but I am not finding it. I did find a good article on exactly
what a Power User has rights to
(http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/secur
ity/secdefs.mspx#ECAA)

but nothing that specifically addresses your problem. Sorry. Anyone else?

Ryan Hanisco · Dec 22, 2004

Ok... reading that further answers the question... you can't:

[Power Users can]Create local users and groups.

. Modify users and groups that they have created.

. Create and delete non-admin file shares.

. Create, manage, delete and share local printers.

All other additional rights, such as Change System Time, or Stop and Start
non-autostarted services, can be reconfigured for the Power User by
modifying the appropriate user rights or configuring the appropriate ACL.

Since there is no way to disable the built-in permissions allotted to Power
Users, administrators who need to support non-certified legacy applications
must loosen up the permissions allotted to members of the Users group to the
point where their installed base of applications can be successfully run.
The Windows 2000 operating system includes a security template for precisely
this purpose. The template is named compatws.inf and can be found in the
%windir%\security\templates directory. The template can be applied to a
system using the Security Configuration Toolset. For example, the
secedit.exe command line component of the Toolset can apply the template as
follows:

Remote Service Restart	1	Apr 12, 2006
Password Export error ADMT 3	1	Oct 29, 2008
Software Restriction	1	Apr 3, 2006
Restrict users to save on desktop using Group policy	4	May 7, 2007
Restricted Users Changing Power Scheme	3	Dec 1, 2007
Group Policy to allow user to run program without bring local admi	10	Dec 6, 2004
IPad Multiple Users	0	May 3, 2022
Group Policy Not Working for just one user...	1	Apr 8, 2008

restrict power user

Arc J. Thames

Jimmy Andersson [MVP]

Herb Martin

Ryan Hanisco

Ryan Hanisco

Ask a Question

Similar Threads