AsAdeli said:
I have some application that they run with Local Administrator. I
add standard users to local administrator group to run this
application. Now, I need to limit this users to local administrator
Accessibility like install software, stop or start a service and
etc.
what am I must to do? can I limit this users by local group policy
or domain group policy?
Shenan said:
If they are Local Administrators - you are not going to be limiting
them very much on that particular machine. Whatever you do - they
can undo on the machine itself - after all - you chose to make them
local administrators.
You probably (depending on the application - and so few do not fall
into this category) could have changed registry and file/folder
permissions on some entries on the machine and never have given
them local administrative rights in order to run the application.
REGMON and FILEMON can help you pinpoint exactly what the
application in question accesses when ran.
But I want to limit accessibilities like start or stop services,
install software....
In the original post you said you added standard users to the local
administrators group and now you wanted to limit the local administrators
capability on the machine. If you do not want a user to be able to
start/stop services, install software, etc - do *not* put them in
*any*administrative level group... They must be "users".
When planning permissions/granting abilities - you start with the lowest and
GRANT what they need - not start with the highest and DENY what they
shouldn't have. If they have Local Administrative rights - whatever you
do - they can undo on that local machine...
