User Rights Assignment

[Guest]

I have a laptop running WINXP Pro SP2 connected to a Windows 2003 AD Domain.
the default user assignment on the laptop is to the Power User Group. I have
one user that needs to have access to the comm ports to change some settings
to allow some of our locally developed software to access one of our locally
developed machines connected to that comm port. this particular user has
been known for abuse and I don't want to grant admin rights to him, but want
to give him the means to do his job. Is there any way a GPO might help in
this situation? Or, what might I do so that he doesn't change passwords and
such when I grant admin rights?

Thanks,
Terry

 

[Lanwench [MVP - Exchange]]

In

I have a laptop running WINXP Pro SP2 connected to a Windows 2003 AD
Domain. the default user assignment on the laptop is to the Power
User Group. I have one user that needs to have access to the comm
ports to change some settings to allow some of our locally developed
software to access one of our locally developed machines connected to
that comm port. this particular user has been known for abuse and I
don't want to grant admin rights to him, but want to give him the
means to do his job. Is there any way a GPO might help in this
situation? Or, what might I do so that he doesn't change passwords
and such when I grant admin rights?

Thanks,
Terry

What does he need to change in the COM port settings, and is this something
that needs to be changed, by him, on the fly?

And no, you can't prevent a local admin from much, if at all. Note that
Power Users in WinXP have way more rights than you may think - I hesitate to
use even that.

 

[Guest]

Apparently he needs to be able to load a driver for the attached equipment
using the comm port and to verify that it sets up as either Com1 or Com2. I
know I can give power user rights with an added assignment of add and remove
drivers in the local user rights assignments, is this all that would be
necessary?

Thanks,
Terry

 

[Lanwench [MVP - Exchange]]

In

Apparently

Apparently doesn't sound very official! Are you sure? Is he doing regular
testing for the developers, or something?

he needs to be able to load a driver for the attached
equipment using the comm port and to verify that it sets up as either
Com1 or Com2. I know I can give power user rights with an added
assignment of add and remove drivers in the local user rights
assignments, is this all that would be necessary?

Hmmm. Again, Power User is *almost* Administrator, in XP. I would see how
much you can do with him as a *user* - what happens if you add Users, or
another group, to "load and unload device drivers" ? Not sure if this will
work, but it should be easy to test. It's still way more than he should have
for basic use, but it's better than giving him more than basic User rights
elsewhere.

You might try posting in microsoft.public.windows.group_policy for more
expert advice -

 

[Guest]

Yes, every time he connects the new equipment to the port, and before he
starts the software he must check the ports. Sometimes the equipment uses
USb to serial adapters and he must ensure the right drivers are installed and
that the physical port he has connected to is COM1 or COM2, or whatever the
software needs it to be.

Terry

 

[Lanwench [MVP - Exchange]]

In

Yes, every time he connects the new equipment to the port, and before
he starts the software he must check the ports. Sometimes the
equipment uses USb to serial adapters and he must ensure the right
drivers are installed and that the physical port he has connected to
is COM1 or COM2, or whatever the software needs it to be.

OK - try the suggestion I made for device drivers & see what works.

Or, give him a standalone box for testing so he can do his damage on that
(image it regularly for backups/restores) - and lock down his regular
workstation as you would any other user's.

 

[Guest]

Just did that locally. Created a user in Power Users group and assigned load
and unload drivers rights to him. Has all devices not greyed out and can
access the ports, but cannot change permissions, so this worked! Thanks.

 

[Lanwench [MVP - Exchange]]

In

Just did that locally. Created a user in Power Users group and
assigned load and unload drivers rights to him. Has all devices not
greyed out and can access the ports, but cannot change permissions,
so this worked! Thanks.

What happens if you take him out of Power Users & add Users to the rights
you did there?

Remember, power user is *almost* administrator !