Security help in XP

  • Thread starter Thread starter Andrew Diabo
  • Start date Start date
A

Andrew Diabo

I've deployed and upgraded my client's workstation to XP Pro. Its not
connected
to a domain server and it is stand-alone for now. The client wants to
achieve the
following:

a) Create a folder that has many sub-folders, but no users (except for
Administrators)
to delete any file or folder

b) Users are allowed full access to printers, scanners, driver install, etc.

I use Power Users as the group for the users. I created the folder in a) and
limited the
deletion of files to Administrators only. However, I found out that by doing
so, the
user are not able to rename folders such as in the case when they create a
new sub-folder.
How do you overcome this?

I added Load and Unload drivers in the Local Security polices to include
Power Users.
But they are still unable to view installed printers/scanners. How do I
overcome this?

Thanks for any help in advance.

Andrew
 
Andrew Diabo said:
I've deployed and upgraded my client's workstation to XP Pro. Its not
connected
to a domain server and it is stand-alone for now. The client wants to
achieve the
following:

a) Create a folder that has many sub-folders, but no users (except for
Administrators)
to delete any file or folder

b) Users are allowed full access to printers, scanners, driver install, etc.

I use Power Users as the group for the users. I created the folder in a) and
limited the
deletion of files to Administrators only. However, I found out that by doing
so, the
user are not able to rename folders such as in the case when they create a
new sub-folder.
How do you overcome this?
Click to expand...

You don't. The two objectives are in fundemental conflict.
If you grant them the ability to do this, even if only on the
subfolders they have created by use of a grant to Creator Owner
then they will be able to delete, which nullifies accomplishing
the initial objective.
I added Load and Unload drivers in the Local Security polices to include
Power Users.
But they are still unable to view installed printers/scanners. How do I
overcome this?
Click to expand...

No clue. However, note that it is ill-advised to grant the right to
load drivers to accounts in general. Loading drivers can lead to
system (security) compromise and/or instability.
 
Hi Roger,

Thanks for taking the time to respond.

As for my questions, do you suggest I use a third-party solution if any?

Thanks
Andrew
 
I would suggest discussion with client, to their technical
tolerance, explaining the options available with XP as it
is (or W2k for that matter is the same regarding these
requirements) since these come close to meeting their
first desire, and explaining why one really does not want
to delegate out driver installation (you can by use of the
user right) due to its security implications.
Provide them guidance in how to use what is there and
see if they will flex a little in their stated needs.

I am not much of a printer guy, so there may be a way to
tweak permissions on some reg keys so that the existing
drivers can be listed - I don't know.
 
Back
Top